[users@httpd] Serving pre-compressed static content using httpd 2.2.x

2012-03-22 Thread Christopher Schultz 
All,

I've been reading a bit lately about serving pre-compressed static
content with httpd, and it looks like I have a few options that have
various pros and cons. I'd like to make sure I have things straight
because my testing so far has left me a bit frazzled.

If I'm wrong about any of the assertions below, please correct me. I'd
definitely like to do this the "right way".

Using mod_negotiation, I can either use MultiViews or use a type-map file.

Using a type-map file has these advantages as I see them:

* I can specify all the combinations for content-negotiation and httpd
doesn't have to sniff the directory to determine what combinations are
possible, supported, etc.

Disadvantages are:
* Client must request the ".var" file (or whatever I want to call it
when using "AddHandler") in order to get the negotiated content.
* Type-map file can't provide any fall-back file for when no acceptable
Accept-* headers match. For instance, if Accept-Encoding is not set, I
can't instruct mod_negotiate to serve an uncompressed file because
there's no way to say "this is the default case if nothing else matches".
* Unless I re-name the original file to be something like my.css and the
replace the original my.css with my type-map, I'll have to change all
the links to that file that I have.
* Therefore, I have to make sure that all .css files in that directory
are really type-maps in disguise.

Using MultiViews is nice because you don't need external configuration
files -- just well-named files in the first place. But...
* I can't have the original file (e.g. my.css) actually on the disk,
else httpd will serve the file directly with no negotiation.
* That means I have to move the original file out of the way
* Like type-map strategy, there's no way to provide a fall-back file
when no negotiation matches.

If I don't use content-negotiation, I can use mod_rewrite to fake it:
it's a lot easier to just look for Accept-Encoding and then do an
internal redirect to a pre-compressed file, especially since there's no
issues with language or other Accept-* headers confusing things.



This is great because the original file can sit there on the disk and I
can provide compressed versions of it to clients who can deal with it.
No changing URIs or anything like that.

Only problem is that setting the Content-Encoding header doesn't appear
to be working. When set unconditionally, it works, but when attempting
to use the "gz" environment variable, Content-Encoding doesn't seem to
be set. Also, the "Vary" header doesn't seem to be automatically set.

(Rainer Jung suggested that this would be automatically done by
mod_rewrite in this post: http://markmail.org/message/bxjpwhcw5eubjw5)

Finally, there is mod_asis. I seem to recall playing-around with a
mod_asis configuration long ago that was mostly working, but I can't
find it anymore... nor can I manage to hunt-down the references I used
at the time to build it. The obvious advantage to using mod_asis would
be that the response doesn't need to be "built" by httpd -- instead,
once the file is chosen (using mod_negotiate IIRC) it's just streamed
from disk (or better yet, OS disk cache). But is mod_negotiate required,
and will I have the same problems described above?

Are there any other techniques that will help me accomplish my goal?
Ideally, I'd have a solution that:

1. Provides pre-compressed content to clients that can handle it (duh)
2. Fall-back to uncompressed content if clients can't handle it
3. Allow me to leave my unmodified files on disk under their "real"
   file names
4. Not burn too much resources in the process: minimize regexp matches,
   minimize directory-lookups, etc.

Any corrections to the above or suggestions would be greatly appreciated.

Thanks,
-chris



signature.asc
Description: OpenPGP digital signature

Re: [users@httpd] Serving pre-compressed static content using httpd 2.2.x

2012-03-28 Thread Christopher Schultz 
All,

Replying to see if I can get a response. Anyone?

Thanks,
-chris

On 3/22/12 3:10 PM, Christopher Schultz wrote:
> All,
> 
> I've been reading a bit lately about serving pre-compressed static
> content with httpd, and it looks like I have a few options that have
> various pros and cons. I'd like to make sure I have things straight
> because my testing so far has left me a bit frazzled.
> 
> If I'm wrong about any of the assertions below, please correct me. I'd
> definitely like to do this the "right way".
> 
> Using mod_negotiation, I can either use MultiViews or use a type-map file.
> 
> Using a type-map file has these advantages as I see them:
> 
> * I can specify all the combinations for content-negotiation and httpd
> doesn't have to sniff the directory to determine what combinations are
> possible, supported, etc.
> 
> Disadvantages are:
> * Client must request the ".var" file (or whatever I want to call it
> when using "AddHandler") in order to get the negotiated content.
> * Type-map file can't provide any fall-back file for when no acceptable
> Accept-* headers match. For instance, if Accept-Encoding is not set, I
> can't instruct mod_negotiate to serve an uncompressed file because
> there's no way to say "this is the default case if nothing else matches".
> * Unless I re-name the original file to be something like my.css and the
> replace the original my.css with my type-map, I'll have to change all
> the links to that file that I have.
> * Therefore, I have to make sure that all .css files in that directory
> are really type-maps in disguise.
> 
> Using MultiViews is nice because you don't need external configuration
> files -- just well-named files in the first place. But...
> * I can't have the original file (e.g. my.css) actually on the disk,
> else httpd will serve the file directly with no negotiation.
> * That means I have to move the original file out of the way
> * Like type-map strategy, there's no way to provide a fall-back file
> when no negotiation matches.
> 
> If I don't use content-negotiation, I can use mod_rewrite to fake it:
> it's a lot easier to just look for Accept-Encoding and then do an
> internal redirect to a pre-compressed file, especially since there's no
> issues with language or other Accept-* headers confusing things.
> 
>Options +SymLinksIfOwnerMatch
>   RewriteEngine On
>   RewriteCond %{HTTP:Accept-Encoding} gzip
>   RewriteRule test.css$ /path/to/css/files/test.css.gz [E=gz:1]
>   Header set Content-Encoding gzip env=gz
> 
> 
> This is great because the original file can sit there on the disk and I
> can provide compressed versions of it to clients who can deal with it.
> No changing URIs or anything like that.
> 
> Only problem is that setting the Content-Encoding header doesn't appear
> to be working. When set unconditionally, it works, but when attempting
> to use the "gz" environment variable, Content-Encoding doesn't seem to
> be set. Also, the "Vary" header doesn't seem to be automatically set.
> 
> (Rainer Jung suggested that this would be automatically done by
> mod_rewrite in this post: http://markmail.org/message/bxjpwhcw5eubjw5)
> 
> Finally, there is mod_asis. I seem to recall playing-around with a
> mod_asis configuration long ago that was mostly working, but I can't
> find it anymore... nor can I manage to hunt-down the references I used
> at the time to build it. The obvious advantage to using mod_asis would
> be that the response doesn't need to be "built" by httpd -- instead,
> once the file is chosen (using mod_negotiate IIRC) it's just streamed
> from disk (or better yet, OS disk cache). But is mod_negotiate required,
> and will I have the same problems described above?
> 
> Are there any other techniques that will help me accomplish my goal?
> Ideally, I'd have a solution that:
> 
> 1. Provides pre-compressed content to clients that can handle it (duh)
> 2. Fall-back to uncompressed content if clients can't handle it
> 3. Allow me to leave my unmodified files on disk under their "real"
>file names
> 4. Not burn too much resources in the process: minimize regexp matches,
>minimize directory-lookups, etc.
> 
> Any corrections to the above or suggestions would be greatly appreciated.
> 
> Thanks,
> -chris



signature.asc
Description: OpenPGP digital signature

Re: [users@httpd] Httpd 2.4.1 Compatibility with mod_jk 1.2.35

2012-03-29 Thread Christopher Schultz 
Harsimranjit,

On 3/29/12 12:48 AM, Harsimranjit singh Kler wrote:
> I have tested basic functionality of this combination and it works fine.
>  
> Is there any issue or bug or i can use 1.2.35 with httpd -2.4.1

There are no issues I know of with mod_jk 1.2.35 and httpd 2.4.x, but
the two previous versions of mod_jk were both fairly broken in different
ways on both win32 and *NIX.

The shared-memory strategy is currently being significantly refactored
to improve stability (which has historically been very good) so there
might be some bumps and bruises along the way.

Head over to us...@tomcat.apache.org where most of the discussion about
mod_jk occurs if you have further questions or any problems with mod_jk.

-chris



signature.asc
Description: OpenPGP digital signature

Re: [users@httpd] modifying Location header

2015-10-30 Thread Christopher Schultz 
Hleb,

On 10/30/15 10:24 AM, Hleb Valoshka wrote:
> On 10/29/15, John Iliffe  wrote:
>>> Is it possible to modify Location using mod_headers? I want to replace
>>> http:// with https:// but Header edit http://(.*) https://$1 does not
>>> work, neither with always. unset and set don't work as well, only add
>>> works.
>>>
>>
>> Why not this?
>>
>> 
>>ServerName www.example.com
>> #   DocumentRoot /httpdpages
>>Redirect permanent / https://www.example.com/
>> 
> 
> Because vhost :80 is common for http and https: actual endpoint is
> loadbalancer, apache is backend with a lot of redirects.

Consider using a separate  for your HTTPS traffic, like this:

lb:80  --> httpd:80
lb:443 --> httpd:81

httpd:81 is not encrypted, but it's configured to behave as if it is.

-chris

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] php.conf and PHP-FPM

2015-11-13 Thread Christopher Schultz 
John,

On 11/13/15 2:53 PM, Rose, John B wrote:
> Let me rephrase my question.
> 
> I understand the .conf file names can be anything.
> 
> I may should have asked it this way, do the settings such as  ...
> 
> 
> SetHandler application/x-httpd-php
> 
> 
> 
> 
> AddType text/html .php
> 
> Etc,
> 
> ...typically in the file named php.conf, matter if you do not have mod_php
> loaded and are only using PHP-FPM?
> 
> What PHP related setting would you possibly put in php.conf if you are
> only using PHP-FPM?
> 
> In other words, by using PHP-FPM, and using ProxyPassMatch, none of those
> things are used. Right?
> 
> Except "DirectoryIndex"
> 
> Comment: It seems the default/uncommented placement of "DirectoryIndex
> index.php" in php.conf would undesirably/unexpectedly replace
> "DirectoryIndex index.html index.php etc." in the main body of your
> httpd.conf file. If you "Include" conf.d late in your httpd.conf file.

If you place  ...  around your PHP-related
configurations, then you can safely leave your php.conf file in place
even when mod_php is disabled. In that case, the configuration within
the IfModule structure will be ignored when mod_php is not loaded.

-chris

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] How to force browsers doesn't use cache

2015-11-16 Thread Christopher Schultz 
Pete,

On 11/16/15 3:52 PM, Pete Houston wrote:
> On Mon, Nov 16, 2015 at 06:19:37PM -0200, Ronaldo Luiz de Carvalho wrote:
>> There are a way to setting apache in a way to force the users site browsers
>> doesn't use their cache?
> 
> You can use the Header directive to set the appropriate value of the
> Cache-Control header.
> 
> http://httpd.apache.org/docs/2.4/mod/mod_headers.html#header
> http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9

+1

Plus the "Pragma" header for ancient clients, if you want.

This is how we do it:

Header set Cache-Control "no-cache, no-store, must-revalidate"
Header set Pragma "no-cache"
Header set Expires 0

Make sure you don't overdo this... if you have .css, .js files, etc.
that *should* be cached, don't let this apply to them.

-chris

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Redirect[Match] behind load-balancer switching protocols

2015-11-17 Thread Christopher Schultz 
All,

The docs for the Redirect directive state that a slash-prefixed
replacement URL (relative) will use the current request's scheme and
hostname to build the redirect URL.

RedirectMatch doesn't say specifically, but what I'm observing is that:

RedirectMatch permanent ^/$ /foo/

... when requesting https://hostname/, I get a redirect to
http://hostname/foo/ <-- note the protocol switch from https to http.

I'm running httpd 2.4.16 on Linux.

This is an httpd instance which is sitting behind a load-balancer, so
httpd isn't terminating SSL itself. The lb is providing the various
X-Forwarded-* headers, and I have this configuration as well:

SetEnvIf X-Forwarded-Proto "https" HTTPS=On

Is there another environment variable or other setting that I need to
use in order to override httpd's protocol-detection?

Thanks,
-chris

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Is there a shell environment variable to direct httpd to a httpd.conf ?

2015-11-20 Thread Christopher Schultz 
Gary,

On 11/20/15 4:44 PM, Gary M wrote:
> I'm in a unique configuration dilemma where I need to place the location
> of httpd.conf in a "soft" location. eg the shell environment variable.
> 
> I did look and cannot find the answer.
> 
> The question: "is there a shell environment variable read by httpd
> pointing to the conf file ? "
> 
> This is windows,, I have another solution for linux and solaris.

Can you do:

C:\> \path\to\bin\httpd -f %HTTPD_DOT_CONF%

?

-chris

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] ProxyPass + Redirect

2015-12-16 Thread Christopher Schultz 
All,

I've got a reverse-proxy in front of Tomcat that I'd like to configure.
When using mod_jk, we have a configuration like this:

   RedirectMatch ^/foo(/)?$ /foo/someplace_specific.html
   RedirectMatch ^/foo/index.html$ /foo/someplace_specific.html
   JkMount /foo/*.do myWorker

This works swimmingly.

Now, we have an environment where we need to use mod_proxy instead, so
we have tried this:

   RedirectMatch ^/foo(/)?$ /foo/someplace_specific.html
   RedirectMatch ^/foo/index.html$ /foo/someplace_specific.html

   ProxyPass /foo/ http://localhost:8009/foo/
   ProxyPassReverse /foo/ http://localhost:8009/foo/

(There may be typos in there, but I typed it from memory and sanitized
it at the same time. Don't worry too much about that; the order and gist
is correct.)

Sharp-eyed readers will note that ProxyPass will take precedence over
the RedirectMatch directive. No problem, we can just un-proxy that
special path:

   RedirectMatch ^/foo(/)?$ /foo/someplace_specific.html
   RedirectMatch ^/foo/index.html$ /foo/someplace_specific.html
   ProxyPass /foo/index.html !
   ProxyPass /foo/ http://localhost:8009/foo/
   ProxyPassReverse /foo/ http://localhost:8009/foo/

Unfortunately, this doesn't seem to be working for me: a request for
/foo/index.html gives me a 404 error *and a JSESSIONID from Tomcat*, so
I'm fairly certain that the request is being proxied.

I'm certain that I have some small error in my configuration for the
index.html case, but I think I'm up against a wall when it comes to the
/foo/ case: the RedirectMatch looks for ^/foo(/)?$ which is necessarily
the "root" of the virtual-directory being proxied... so I'm going to
need to tell mod_proxy to turn-off proxying for a specific URL.

I know that using mod_rewrite, we can use the [P] flag to send things
through mod_proxy. Is there a do-not-proxy flag for mod_rewrite that I
can use? Or do I have to change from using ProxyPass to using
RewriteRule with [P] for everything instead? I'd prefer a solution that
doesn't involve mod_rewrite if I can get away with it.

Thanks,
-chris

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] ProxyPass + Redirect

2015-12-16 Thread Christopher Schultz 
Bill,

On 12/16/15 5:45 PM, William A Rowe Jr wrote:
> On Wed, Dec 16, 2015 at 4:34 PM, Christopher Schultz
> mailto:ch...@christopherschultz.net>> wrote:
> 
> 
>RedirectMatch ^/foo(/)?$ /foo/someplace_specific.html
>RedirectMatch ^/foo/index.html$ /foo/someplace_specific.html
>ProxyPass /foo/index.html !
>ProxyPass /foo/ http://localhost:8009/foo/
>ProxyPassReverse /foo/ http://localhost:8009/foo/
> 
> Unfortunately, this doesn't seem to be working for me: a request for
> /foo/index.html gives me a 404 error *and a JSESSIONID from Tomcat*, so
> I'm fairly certain that the request is being proxied.
> 
> 
> I thought this was order-sensitive, try reversing the two ProxyPass
> statements. 

I actually had the "ProxyPass !" last, and when it didn't work as I
expected, then I re-read the docs which say that ProxyPass has
first-match-wins semantics. So no joy there. :(

Also, this is never going to work:

  ProxyPass /foo/ !
  ProxyPass /foo/ http://localhost:8009/foo/

So I need a plan for the exact string "/foo/" without shooting-out the
knees of the rest of the proxy configuration.

Any ideas?

-chris

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Uneven load distribution in Tomcat application servers proxy balanced in front end Apache httpd web server

2015-12-22 Thread Christopher Schultz 
Gaurav,

On 12/22/15 11:26 AM, Gaurav Kumar wrote:
> I am using 6 Apache httpd 2.2.15 which are forwarding requests to the
> Tomcat application servers (version: 7.0.41). Using mod_proxy, all the
> application servers are balanced with proxy balancers. Below is the
> similar configuration of apache httpd.conf:
> 
> |##Proxy Balancers for use by all Virtual Hosts  balancer://FrontEnd> BalancerMember ajp://APP01.abcd.com:8009
>  route=APP01 timeout=120 ttl=600
> keepalive=On BalancerMember ajp:// APP02.abcd.com:8009
>  route=APP02 timeout=120 ttl=600
> keepalive=On BalancerMember ajp:// APP03.abcd.com:8009
>  route=APP03 timeout=120 ttl=600
> keepalive=On BalancerMember ajp:// APP04.abcd.com:8009
>  route=APP04 timeout=120 ttl=600
> keepalive=On BalancerMember ajp:// APP05.abcd.com:8009
>  route=APP05 timeout=120 ttl=600
> keepalive=On BalancerMember ajp:// APP06.abcd.com:8009
>  route=APP06 timeout=120 ttl=600
> keepalive=On BalancerMember ajp:// APP07.abcd.com:8009
>  route=APP07 timeout=120 ttl=600
> keepalive=On BalancerMember ajp:// APP08.abcd.com:8009
>  route=APP08 timeout=120 ttl=600
> keepalive=On BalancerMember ajp:// APP09.abcd.com:8009
>  route=APP09 timeout=120 ttl=600
> keepalive=On BalancerMember ajp:// APP10.abcd.com:8009
>  route=APP10 timeout=120 ttl=600
> keepalive=On BalancerMember ajp:// APP11.abcd.com:8009
>  route=APP11 timeout=120 ttl=600
> keepalive=On BalancerMember ajp:// APP12.abcd.com:8009
>  route=APP12 timeout=120 ttl=600
> keepalive=On BalancerMember ajp:// APP13.abcd.com:8009
>  route=APP13 timeout=120 ttl=600
> keepalive=On BalancerMember ajp:// APP14.abcd.com:8009
>  route=APP14 timeout=120 ttl=600
> keepalive=On BalancerMember ajp:// APP15.abcd.com:8009
>  route=APP15 timeout=120 ttl=600
> keepalive=On BalancerMember ajp:// APP16.abcd.com:8009
>  route=APP16 timeout=120 ttl=600
> keepalive=On BalancerMember ajp:// APP21.abcd.com:8009
>  route=APP21 timeout=120 ttl=600
> keepalive=On BalancerMember ajp:// APP22.abcd.com:8009
>  route=APP22 timeout=120 ttl=600
> keepalive=On BalancerMember ajp:// APP23.abcd.com:8009
>  route=APP23 timeout=120 ttl=600
> keepalive=On BalancerMember ajp:// APP24.abcd.com:8009
>  route=APP24 timeout=120 ttl=600
> keepalive=On BalancerMember ajp://APP25.abcd.com:8009
>  route=APP25 timeout=120 ttl=600
> keepalive=On BalancerMember ajp:// APP26.abcd.com:8009
>  route=APP26 timeout=120 ttl=600
> keepalive=On BalancerMember ajp:// APP27.abcd.com:8009
>  route=APP27 timeout=120 ttl=600
> keepalive=On BalancerMember ajp:// APP28.abcd.com:8009
>  route=APP28 timeout=120 ttl=600
> keepalive=On ProxySet stickysession=JSESSIONID  |
> 
> I am facing the uneven load distribution issue among the application
> servers when I check it from the Apache webserver balancer-manager.
> Infact, the top 13 app servers (app01 to app13, assume batch1) are
> getting almost equal load and the remaining app servers (app14 to app16
> and app21 to app28, assume batch2) are getting equal load. The batch1
> app servers have almost 3 times more load than the batch2 app servers.
> 
> I also tried to diagnose if any network issue might be causing the
> problem. So, tried the traceroute command for the diagnosis and found
> almost similar patterns with 30 hops for both the batch servers (batch1
> as well as batch2).
> 
> I am unable to figure out, what the issue is? Can anyone please help me
> out. Any help, really appreciated.

Remember that users can keep their session identifiers longer than their
session actually lasts. The load-balancer doesn't keep a mapping of
session ids to app servers.. instead, it uses a node-hint in the session
id like 8927418392BACBD3298.workerName and uses that for routing.

If you have a user who logs-in and is assigned to a node, then continues
using their browsers without restarting it for a month, they will always
go to the same server unless their session cookies are being destroyed
*and* then you redirect them to be re-balanced before another session is
created.

This might just be a natural "clumping" of sessions to various servers.
If you watch it over time, does it settle-down over time, or does it
appear that the nodes are becoming more and more segregated?

-chris

-
To unsubscribe, e-mail: users-unsubscr...@httpd.

Re: [users@httpd] ProxyPass + Redirect

2015-12-28 Thread Christopher Schultz 
Yann,

On 12/17/15 3:51 AM, Yann Ylavic wrote:
> On Thu, Dec 17, 2015 at 8:14 AM, Marat Khalili  wrote:
>> Crude, but what about:
>>
>> ProxyPassMatch "^/foo/(.+)$" "http://localhost:8009/foo/$1";
> 
> or (along the lines):
> ProxyPassMatch ^/foo/((?!index\.html$).+)$ http://localhost:8009/foo/$1

I was able to solve the problem in this way, which is basically the same
thing you have above:

ProxyPassMatch ^/foo/index.html$ !
ProxyPassMatch ^/foo(/)?$ !

RedirectMatch ^/foo/index.html$ /foo/someplace_specific.html
RedirectMatch ^/foo/$ /foo/someplace_specific.html

It's pretty clear that I should probably combine each of these pairs of
directives into single ones, since they will likely perform better. I'm
not sure if PCRE is smart enough to understand that ^whatever$ can be
optimized to straight-equals to avoid the overhead of the whole regular
expression engine.

If anyone knows the answer to that, it would be nice to know. In the
meantime, regular expressions have come to the rescue.

-chris

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] proper MPM and mod_php

2016-01-08 Thread Christopher Schultz 
Eric,

On 1/7/16 5:47 PM, Eric Covener wrote:
> On Thu, Jan 7, 2016 at 4:51 PM, Rose, John B  wrote:
>> Is using "event" MPM and mod_php ok, or should "prefork" always be used with
>> mod_php?
> 
> The conventional wisdom is prefork-only if you must use mod_php.

I was just looking at this yesterday on my Amazon Linux VM, and the
package-managed config for mod_php looks like this:


  LoadModule php5_module modules/libphp-5.5.so



  LoadModule php5_module modules/libphp-zts-5.5.so


So it looks like there is a module that has been built with an eye
toward thread-safety. That module may be available in John's environment
as well.

Thanks,
-chris

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Expiring DAV file locks with mod_dav

2016-02-05 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

All,

I've been searching for a bit and mostly people are having the
opposite problem I'm having: they are having file locks expire too early
.

I have a lock on a file on the DAV that looks like it's no longer
valid, but LibreOffice Writer won't open a document on by WebDAV
server because it says it's locked by another user (and names the user).

Are there any tools to investigate and/or tweak the locks held by mod_da
v?

I tried "dbmmanage DAVLocks view" just to see if anything would work,
and it dumped-out some stuff, but didn't look like dbmmanage could
really interpret the DAVLocks file.

Any ideas? I'm sure that rm DAVLocks && /etc/init.d/apache2 restart"
would do the trick, but I'd like to keep any other legitimate file
locks in place if possible.

Thanks,
- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAla1DmcACgkQ9CaO5/Lv0PCb+ACeOBG1u46NmKgcdHbAuLKdy3Zd
0G4An0DoNbY/Ls6XthD0WBrQOm02DZct
=XmY4
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] How to build Apache with FIPS mode capable?

2016-02-09 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Rich,

On 2/8/16 3:25 PM, cloud force wrote:
> Hi All:
> 
> From the mod_ssl doc, it mentioned: "If httpd was compiled against
> an SSL library which did not support the FIPS_mode flag, |SSLFIPS
> on| will fail."
> 
> How do I compile apache (version 2.2) with FIPS capable OpenSSL
> library?

It's not Apache httpd that needs to be compiled for FIPS, it's
OpenSSL. So if you have a FIPS-capable OpenSSL library, you should be
okay.

Building a FIPS-capable OpenSSL is possible, but requires some steps
on top of the usual OpenSSL build process:

http://openssl.org/docs/fips.html

Unless you have some regulatory requirement to use FIPS, I wouldn't
bother with the whole mess. FIPS does two things: (1) validates the
library on startup to ensure it hasn't been tampered with (which I
suppose is good) and (2) mandates a specific set of hashes, ciphers,
etc. (bad). The reason #2 is bad is because the set of ciphers
required by FIPS includes known weak ciphers, and probably also
contains unknown weak ciphers, too.

AFAICR, FIPS also will not allow you to use additional ciphers on top
of the FIPS requirements, so you aren't allowed to use the latest and
greatest ciphers recommended by security experts.

(Finally, it's unclear whether or not it's actually possible to
produce a FIPS-compliant implementation *at all*, so the whole thing
is a farce, anyway.)

So, unless you have a specific and unyielding requirement to use a
FIPS-compliant library, save your time and just configure your
non-FIPS-compliant server in a sane way and you'll be fine.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAla57nUACgkQ9CaO5/Lv0PAyTwCeLBOwi8VV9W5vngMc01ae62vC
O6wAnjglbjMq8S3+ZEyU1jch6wH4d7HW
=NJnj
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] How to build Apache with FIPS mode capable?

2016-02-09 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Rich,

On 2/9/16 4:09 PM, cloud force wrote:
> Yes I do have* *some regulatory requirement to use FIPS and I have
> built the FIPS capable OpenSSL lib.

Where is that library located on the disk?

> I tried to add the "SSLFIPS on" parameter to the httpd.conf config
> file as suggested in the ssl_mod manual page, but the httpd failed
> to start with errors which seemed to due to the fact that my apache
> server was not compiled against an SSL library which support the
> FIPS_mode flag.

Maybe you are getting the system-provided OpenSSL library and not the
one you custom-built.

> I need helps with guidance of how to compile apache server with
> FIPS capable OpenSSL lib so that the Apache server can be operating
> under the OpenSSL FIPS mode.

Recompiling httpd is never needed to switch-out a shared library. You
just need to fix the way the OS loads things.

What OS? What version of that OS? Architecture, etc.?
How did you install httpd?
How did you install OpenSSL (originally)?
Did you build the FIPS-capable OpenSSL library yourself or did you get
it from some other source?
Where is the FIPS-capable OpenSSL library on the disk?
How do you launch httpd?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAla6b0oACgkQ9CaO5/Lv0PD3wACfWaxX8PA8dhUajcJiHoar12ck
1NoAniETHeQizkhiRLtie+M2RCxuKFAz
=HJr7
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] How to build Apache with FIPS mode capable?

2016-02-10 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Rich,

On 2/9/16 6:21 PM, cloud force wrote:
> On Tue, Feb 9, 2016 at 2:59 PM, Christopher Schultz 
>  <mailto:ch...@christopherschultz.net>> wrote:
> 
> Rich,
> 
> On 2/9/16 4:09 PM, cloud force wrote:
>> Yes I do have* *some regulatory requirement to use FIPS and I
>> have built the FIPS capable OpenSSL lib.
> 
> Where is that library located on the disk?
> 
>> [Rich] The new libcrypto.so located in the same directory 
>> /lib/x86_64-linux-gnu/
> 
> 
> 
>> I tried to add the "SSLFIPS on" parameter to the httpd.conf
>> config file as suggested in the ssl_mod manual page, but the
>> httpd failed to start with errors which seemed to due to the fact
>> that my apache server was not compiled against an SSL library
>> which support the FIPS_mode flag.
> 
> Maybe you are getting the system-provided OpenSSL library and not
> the one you custom-built.
> 
>> I need helps with guidance of how to compile apache server with 
>> FIPS capable OpenSSL lib so that the Apache server can be
>> operating under the OpenSSL FIPS mode.
> 
> Recompiling httpd is never needed to switch-out a shared library.
> You just need to fix the way the OS loads things.
> 
>> [Rich] How do I do that?

That depends upon the answers to your various questions.

> What OS? What version of that OS? Architecture, etc.?
> 
>> [Rich] Ubuntu Linux 64 bit (version 12.04)
> 
> 
> How did you install httpd?
> 
>> [Rich] Httpd is packaged by Ubuntu as a package called apache2,
>> and I installed the apache2 package.

Good. Keep that package as it is.

> How did you install OpenSSL (originally)?
> 
>> [Rich] OpenSSL is also packaged by Ubuntu as a package. I
>> installed the original Ubuntu openssl package.

Okay. And that package is still installed and not broken?

> Did you build the FIPS-capable OpenSSL library yourself or did you
> get it from some other source?
> 
>> [Rich] I downloaded the FIPS modules source and built it with the
>> stock openssl library, and then installed the newly rebuild FIPS
>> capable openssl library. I was able to verify by using the FIPS
>> capable openssl lib, running the openssl command to generate a
>> MD5 checksum failed due to it's an non-approved FIPS algorithm.

Okay, good. IIRC, the "openssl" CLI is statically-linked so that will
always work as long as you use the full path to the FIPS-capable
openssl binary. Getting another program to load using the FIPS-capable
library takes a bit of work.

> Where is the FIPS-capable OpenSSL library on the disk?
> 
>> [Rich] The .so files are mostly under the directory
>> /lib/x86_64-linux-gnu/

Isn't that where the Ubuntu-packages libraries are as well?

What does this command show?

$ dpkg -L libssl1.0.0

(This will still work if you have OpenSSL 1.0.1.)

Where *exactly* are the FIPS-capable libraries you built? There should
be several .so files produced by the build. What are they and where
did you put them?

> How do you launch httpd?
> 
>> [Rich] Ubuntu uses upstart script to launch service like httpd. I
>> just ran the upstart script (service apache2 start) to start the
>> httpd.

Ultimately, this is going to involve you adjusting the LD_LIBRARY_PATH
environment variable to point to the place where your FIPS-capable
OpenSSL libraries are. But if you put them into the existing library
search path, you may have broken both your original OpenSSL
installation, plus the FIPS-capable libraries as well.

It would be best to keep the FIPS-capable libraries somewhere out of
the way where you won't confuse them with the package-installed ones.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAla7VSQACgkQ9CaO5/Lv0PDqQACbBdzt3ek8ywxxUFgjhb8YXhf7
1gAAnRRHqsNIEuOmd6OFjewx3M7UWZsa
=JqxL
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] How to build Apache with FIPS mode capable?

2016-02-10 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Rich,

On 2/10/16 11:24 AM, cloud force wrote:
> Hi Chris,
> 
> Please see my comments below.
> 
> Thanks, Rich
> 
> On Wed, Feb 10, 2016 at 7:20 AM, Christopher Schultz 
>  <mailto:ch...@christopherschultz.net>> wrote:
> 
> Rich,
> 
> On 2/9/16 6:21 PM, cloud force wrote:
>> On Tue, Feb 9, 2016 at 2:59 PM, Christopher Schultz 
>> > <mailto:ch...@christopherschultz.net> 
>> <mailto:ch...@christopherschultz.net
>> <mailto:ch...@christopherschultz.net>>>
> wrote:
> 
>> Rich,
> 
>> On 2/9/16 4:09 PM, cloud force wrote:
>>> Yes I do have* *some regulatory requirement to use FIPS and I 
>>> have built the FIPS capable OpenSSL lib.
> 
>> Where is that library located on the disk?
> 
>>> [Rich] The new libcrypto.so located in the same directory 
>>> /lib/x86_64-linux-gnu/
> 
> 
> 
>>> I tried to add the "SSLFIPS on" parameter to the httpd.conf 
>>> config file as suggested in the ssl_mod manual page, but the 
>>> httpd failed to start with errors which seemed to due to the
>>> fact that my apache server was not compiled against an SSL
>>> library which support the FIPS_mode flag.
> 
>> Maybe you are getting the system-provided OpenSSL library and
>> not the one you custom-built.
> 
>>> I need helps with guidance of how to compile apache server
>>> with FIPS capable OpenSSL lib so that the Apache server can be 
>>> operating under the OpenSSL FIPS mode.
> 
>> Recompiling httpd is never needed to switch-out a shared
>> library. You just need to fix the way the OS loads things.
> 
>>> [Rich] How do I do that?
> 
> That depends upon the answers to your various questions.
> 
>> What OS? What version of that OS? Architecture, etc.?
> 
>>> [Rich] Ubuntu Linux 64 bit (version 12.04)
> 
> 
>> How did you install httpd?
> 
>>> [Rich] Httpd is packaged by Ubuntu as a package called
>>> apache2, and I installed the apache2 package.
> 
> Good. Keep that package as it is.
> 
>> How did you install OpenSSL (originally)?
> 
>>> [Rich] OpenSSL is also packaged by Ubuntu as a package. I 
>>> installed the original Ubuntu openssl package.
> 
> Okay. And that package is still installed and not broken?
> 
>> Did you build the FIPS-capable OpenSSL library yourself or did
>> you get it from some other source?
> 
>>> [Rich] I downloaded the FIPS modules source and built it with
>>> the stock openssl library, and then installed the newly rebuild
>>> FIPS capable openssl library. I was able to verify by using the
>>> FIPS capable openssl lib, running the openssl command to
>>> generate a MD5 checksum failed due to it's an non-approved FIPS
>>> algorithm.
> 
> Okay, good. IIRC, the "openssl" CLI is statically-linked so that
> will always work as long as you use the full path to the
> FIPS-capable openssl binary. Getting another program to load using
> the FIPS-capable library takes a bit of work.
> 
>> Where is the FIPS-capable OpenSSL library on the disk?
> 
>>> [Rich] The .so files are mostly under the directory 
>>> /lib/x86_64-linux-gnu/
> 
> Isn't that where the Ubuntu-packages libraries are as well?
> 
>> [Rich] Yes, basically my newly built FIPS capable OpenSSL lib
>> files replaced the original Ubuntu installed ones.
> 
> 
> 
> What does this command show?
> 
> $ dpkg -L libssl1.0.0
> 
> (This will still work if you have OpenSSL 1.0.1.)
> 
> Where *exactly* are the FIPS-capable libraries you built? There
> should be several .so files produced by the build. What are they
> and where did you put them?
> 
>> How do you launch httpd?
> 
>>> [Rich] Ubuntu uses upstart script to launch service like httpd.
>>> I just ran the upstart script (service apache2 start) to start
>>> the httpd.
> 
> Ultimately, this is going to involve you adjusting the
> LD_LIBRARY_PATH environment variable to point to the place where
> your FIPS-capable OpenSSL libraries are. But if you put them into
> the existing library search path, you may have broken both your
> original OpenSSL installation, plus the FIPS-capable libraries as
> well.
> 
>> [Rich] My understanding is, if I replace the Ubuntu installed
>> OpenSSL lib files with the FIPS capable version built by myself,
>> as long as the application which uses openssl (e.g. Apache
>> server) doesn't explicitly invoke FIPS_mode_set() API to enable
>> FIPS mode, they will work pretty

Re: [users@httpd] How to build Apache with FIPS mode capable?

2016-02-10 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Rich,

On 2/10/16 1:12 PM, cloud force wrote:
> I added the "SSLFIPS on" option to the httpd.conf as suggested in
> the ssl_mod doc, and I got the following error:
> 
> * Starting web server apache2
> 
> 
> Syntax error on line 1 of /etc/apache2/httpd.conf:
> 
> SSLFIPS invalid, rebuild httpd and openssl compiled for FIPS
> 
> Action 'start' failed.
> 
> The Apache error log may have more information.

It looks like httpd *must* be built against a FIPS-capable library.

- From modules/ssl/ssl_engine_config.c:692:

> #ifdef HAVE_FIPS if ((sc->fips != UNSET) && (sc->fips !=
> (BOOL)(flag ? TRUE : FALSE))) return "Conflicting SSLFIPS options,
> cannot be both On and Off"; sc->fips = flag ? TRUE : FALSE; #else 
> if (flag) return "SSLFIPS invalid, rebuild httpd and openssl
> compiled for FIPS"; #endif
> 
> return NULL; }

So you think you really do have to re-build. But the only thing that
needs to be defined is OPENSSL_FIPS. From modules/ssl/ssl_private.h:126:

> #if defined(OPENSSL_FIPS) #define HAVE_FIPS #endif

So if you grab the source and simply do:

$ CFLAGS=-DOPENSSL_FIPS ./configure [other opts]
$ make

That ought to get you a FIPS-capable httpd.

To those down and dirty with httpd: is there a reason not to
UNCONDITIONALLY build against OpenSSL's FIPS_mode_set? If the library
doesn't support FIPS mode, it will complain about it and refuse to
enter FIPS mode. The httpd code already handles this in
mobules/ssl/ssl_engine_init.c:

> #ifdef HAVE_FIPS if(sc->fips) { if (!FIPS_mode()) { if
> (FIPS_mode_set(1)) { ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s,
> APLOGNO(01884) "Operating in SSL FIPS mode"); } else { 
> ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01885) "FIPS
> mode failed"); ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); 
> return ssl_die(s); } } } else { ap_log_error(APLOG_MARK,
> APLOG_DEBUG, 0, s, APLOGNO(01886) "SSL FIPS mode disabled"); } 
> #endif

I don't see a compelling reason to have all the #ifdef HAVE_FIPS
conditionals all over the place.

Hope that helps,
- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAla7tjQACgkQ9CaO5/Lv0PDtUgCfT9JC4pOt0WdZWe3XsFRtQgWa
f+AAmwQY+A5KmdTEzwR47/aEK3b/xchg
=WaCl
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] How to build Apache with FIPS mode capable?

2016-02-11 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Yann,

On 2/10/16 6:11 PM, Yann Ylavic wrote:
> Hi,
> 
> On Wed, Feb 10, 2016 at 11:14 PM, Christopher Schultz 
>  wrote:
>> 
>> To those down and dirty with httpd: is there a reason not to 
>> UNCONDITIONALLY build against OpenSSL's FIPS_mode_set? If the
>> library doesn't support FIPS mode, it will complain about it and
>> refuse to enter FIPS mode. The httpd code already handles this
>> in mobules/ssl/ssl_engine_init.c:
>> 
>>> #ifdef HAVE_FIPS if(sc->fips) { if (!FIPS_mode()) { if 
>>> (FIPS_mode_set(1)) { ap_log_error(APLOG_MARK, APLOG_NOTICE, 0,
>>> s, APLOGNO(01884) "Operating in SSL FIPS mode"); } else { 
>>> ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01885)
>>> "FIPS mode failed"); ssl_log_ssl_error(SSLLOG_MARK,
>>> APLOG_EMERG, s); return ssl_die(s); } } } else {
>>> ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01886) "SSL
>>> FIPS mode disabled"); } #endif
>> 
>> I don't see a compelling reason to have all the #ifdef HAVE_FIPS 
>> conditionals all over the place.
> 
> OPENSSL_FIPS is something defined by OpenSSL when FIPS has been
> ./config-ured. Apache httpd should be run against an OpenSSL
> version ABI-compatible with the one it was compiled with, whereas
> FIPS vs non-FIPS OpenSSLs are possibly not ABI-compatible...

That's the thing: I believe they *are* ABI-compatible, since OpenSSL
doesn't seem to conditionally-compile any of the declarations of its
functions... specifically FIPS_mode_set.

I haven't actually done any testing to confirm that they are
ABI-compatible, though.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAla8wT4ACgkQ9CaO5/Lv0PB24QCbBRiNzR3lqUTURsXfUyJhng7a
zo8AoLKYueo8xTiH4JnTpmj0CTDRy7eG
=dhQl
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Proxy logging

2016-02-12 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

All,

I'm using mod_proxy_http as a reverse-proxy to another origin server.
It seems that httpd doesn't record access logs for stuff going over to
the proxy.

Is there a way to write an access log for requests handles by
mod_proxy? Or is the best practice to aggregate the logs from the
origin server and the reverse proxy? (In this case, I have complete
control over both servers).

Apache httpd 2.4 everywhere.

Thanks,
- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAla996gACgkQ9CaO5/Lv0PAa3gCgoWy/cmwz8srKD6vSTnsvY/rI
J/EAoLYf9qpR8BWOKEXEjTC3wHDE73FI
=p44+
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Expiring DAV file locks with mod_dav

2016-02-12 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

All,

Ping. Any ideas?

Thanks,
- -chris

On 2/5/16 4:04 PM, Christopher Schultz wrote:
> All,
> 
> I've been searching for a bit and mostly people are having the 
> opposite problem I'm having: they are having file locks expire too
> early .
> 
> I have a lock on a file on the DAV that looks like it's no longer 
> valid, but LibreOffice Writer won't open a document on by WebDAV 
> server because it says it's locked by another user (and names the
> user).
> 
> Are there any tools to investigate and/or tweak the locks held by
> mod_da v?
> 
> I tried "dbmmanage DAVLocks view" just to see if anything would
> work, and it dumped-out some stuff, but didn't look like dbmmanage
> could really interpret the DAVLocks file.
> 
> Any ideas? I'm sure that rm DAVLocks && /etc/init.d/apache2
> restart" would do the trick, but I'd like to keep any other
> legitimate file locks in place if possible.
> 
> Thanks, -chris
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAla9/74ACgkQ9CaO5/Lv0PDn2ACeMZKPb8SwWNyhOFlXCM0EGTPs
heQAn2mtzV1nkzx+HJADvqH78kZZ+pT3
=eArQ
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] image display error with stock icon

2016-02-14 Thread Christopher Schultz 
Douglas,

On 2/14/16 9:44 PM, Douglas W. Goodall wrote:
> I have written a very simple pair of cgi scripts in python that display
> a toggle switch either
> in the up position, or in the down position. When you click on the
> switch, it toggles between
> the two and switches between the images appropriately. At least that is
> what it is supposed
> to do.
> 
> The problem presented itself as the switch always being in the down
> position, no matter
> how I toggled and switched between the cgi scripts.
> 
> Here is the down
> and here is the up.
> 
> I checked in the browser debugger and the cgi scripts were trying to
> send the proper images.
> I tried the in the Mac OS X based Safari and Chrome and had identical
> results.
> 
> When I eventually gave up and used different switch images, the problem
> went away, so it
> is my best guess that there is something pathological about the binary
> contents of the images
> making the Web Server send a cached version of the down switch image
> instead of the up
> switch image that is needed.

If the URL of the switch image the same in both cases (e.g.
/images/switch_state.cgi)?

If so, you may be dealing with browser caching. Use the usual cadre of
response headers to instruct the client not to cache the response.

If not, then the problem may still be a cached image, possibly from a
time where the URL pointed to the wrong image.

Using Chrome's dev tools, you can see exactly what the client HTTP
request and server HTTP response look like. That may help find out
what's going on.

-chris

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Howto accept only one connection

2016-02-18 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Oliver,

On 2/18/16 8:31 AM, Oliver Graute wrote:
> is it possible to configure Apache 2.4 to accept only one
> connection at time on port 443? is this something I can configure
> for my Virtual Hosts?

For testing, or for long-term behavior?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlbF29MACgkQ9CaO5/Lv0PB2PwCgkd54Vg7BsGiQwRISsCMIiQSt
J50AniH+Xv5kRfRYtiEgSNOxkmC+JsgL
=9/u8
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Howto accept only one connection

2016-02-19 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Oliver,

On 2/19/16 10:11 AM, Oliver Graute wrote:
> On 19/02/16, Aurélien Terrestris wrote:
>> Hello,
>> 
>> I'm not sure we can accept only one connection at a given time. I
>> tested with the "prefork MPM", and I only achieve 1 concurrent
>> request being processed at a given time and all others requests
>> are buffered (ListenBackLog doesn't seem to work on my server).
>> Once the 1st request has been processed, the other ones are
>> processed one after the other.
>> 
>> If running on a Linux, maybe should you configure the iptables to
>> limit connections to 1 for the httpd port. Behind a F5
>> loadbalancer, there is the Connection Limit parameter on the
>> virtual server which can be set.
>> 
>> 
>> my httpd conf :
>> 
>> ./configure .  --with-mpm=prefork
>> 
>>  StartServers 1 
>> MinSpareServers  1 MaxSpareServers  0 
>> MaxRequestWorkers1 MaxConnectionsPerChild   0 
>> ListenBacklog1 ServerLimit  1 
>> 
> 
> thx for this proposal, i will try it this way...

I'm kind of curious why you are using Apache httpd if you just want a
single connection to be available. Anyone can write a
single-connection HTTP service in about two pages of higher-level
source code (e.g. Python, Java, C#, maybe even Perl). This is a bit
like using a Saturn V rocket to launch a weather balloon.

For a single connection, make sure that you disable keepalive -- or at
least set the keep alive timeout to something small, like 1 second.
Otherwise, you'll DOS yourself quite easily. I would also set the TCP
backlog to something small. Maybe as little as 1 (or 0, if that
doesn't actually mean "backlog until we run out of memory").

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlbHMyAACgkQ9CaO5/Lv0PCRigCfTmzndG7agsZ9EmwM0sJTLMV9
ccAAoLD/DvkLbrsZhNnQMRXDQGRU+KOR
=NC4e
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] apache 2.4, APR and online prefix

2016-02-24 Thread Christopher Schultz 
Raf,

On 2/24/16 4:41 AM, Raf Roger wrote:
> Hi
> 
> i'm trying to create a LAMP stack that allow user to synchronize LAMP
> stack files and webapps among several computers.
> 
> Instead of reinstalling everything identically on each computer, they
> could just synchronize the stack and voila.
> 
> for such purpose i need to make each element of the stack independent of
> the OS, so to have it as a "brick"
> 
> therefore i would like to know if there is a version of httpd 2.4 usable
> for such purpose. In fact when i'm compiling apache 2.4 it request APR
> and APR-UTIL but those 2 APRs should be delivered with the stacks or are
> they only needed during apache2 compiling ?

Sounds like you are looking for something like Docker/Puppet/Chef (et
al) that can build a whole operating environment for you from the OS up
to whatever else you need (support packages, etc.). Don't reinvent the
wheel: I recommend you go find out what already exists before you do
this on your own.

I think this is a solved problem.

-chris

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache virus scanning

2016-03-08 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

John

On 3/8/16 2:43 PM, Rose, John B wrote:
> Looking for comments on mod_clamav, and any other alternative
> antivirus software for Apache on linux

Are you trying to protect your clients or your servers?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlbfNWYACgkQ9CaO5/Lv0PCtKACfUSwfFmm3iAXMmljzRhwaw6NZ
yj0Anjxz5oIgdOm6hiV0LOs4jr3n5uLK
=8ynF
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache virus scanning

2016-03-09 Thread Christopher Schultz 
John,

On 3/8/16 6:02 PM, Rose, John B wrote:
> I am interested in both
> 
> Thanks
> 
> Sent from my iPad
> 
>> On Mar 8, 2016, at 3:27 PM, Christopher Schultz 
>>  wrote:
>>
> John
> 
>>>> On 3/8/16 2:43 PM, Rose, John B wrote:
>>>> Looking for comments on mod_clamav, and any other alternative
>>>> antivirus software for Apache on linux
> 
> Are you trying to protect your clients or your servers?

I would imagine that running any AV software that monitors the
filesystem for changes would be sufficient. Why do you think you need an
httpd module for this?

-chris

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache virus scanning

2016-03-09 Thread Christopher Schultz 
John,

On 3/9/16 10:21 AM, Rose, John B wrote:
> What about if your web sites allow for uploading files? Would you not want
> to scan those on upload before they got on your filesystem?

Sure, it would be nice to have the file scanned during upload, but I'm
guessing that the AV can't give an opinion on a file until it's been
completely-uploaded. In that case, do you really want to buffer the
whole file in memory to scan it?

I think the file is going to make it -- at least in part -- to the disk
either way, unless you have other controls in place such as upload-size
limits where you can make a good bet that in-memory scanning can be done
without bringing-down your server.

Anyhow, I don't have any particular experience with mod_clamav or
anything like that. Certainly I wouldn't rely upon it solely, since
there are other ways files can make it onto your server(s). But it
probably couldn't hurt.

Things I'd be worried about are which requests will be scanned by the
AV? Will every single GET/POST/etc. be scanned? That might cause a
significant impact on your response times. Also, the aforementioned
buffering -- does the file have to remain in memory to be scanned, or
will it be streamed to a disk somewhere first? You don't want AV-scans
to bust your memory cap.

-chris

> On 3/9/16 9:49 AM, "Christopher Schultz" 
> wrote:
> 
>> John,
>>
>> On 3/8/16 6:02 PM, Rose, John B wrote:
>>> I am interested in both
>>>
>>> Thanks
>>>
>>> Sent from my iPad
>>>
>>>> On Mar 8, 2016, at 3:27 PM, Christopher Schultz
>>>>  wrote:
>>>>
>>> John
>>>
>>>>>> On 3/8/16 2:43 PM, Rose, John B wrote:
>>>>>> Looking for comments on mod_clamav, and any other alternative
>>>>>> antivirus software for Apache on linux
>>>
>>> Are you trying to protect your clients or your servers?
>>
>> I would imagine that running any AV software that monitors the
>> filesystem for changes would be sufficient. Why do you think you need an
>> httpd module for this?
>>
>> -chris
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>>
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache permissions stabs new Linux user in face with icepick. Suggestions?

2016-03-10 Thread Christopher Schultz 
Eric,

On 3/9/16 8:44 PM, Eric Covener wrote:
> On Wed, Mar 9, 2016 at 8:40 PM, Francis Roy  
> wrote:
>>  drwxr-x--- username
> 
> 
> If you want to serve out of your home directory, it needs to be
> executable by "other".

Or group-owned by whatever group httpd runs under.

No ownership was previously posted, so it's tough to tell how the
permissions will be applied.

-chris

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Load balancing based on header value

2016-03-30 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Niranjan,

On 3/30/16 2:15 PM, Niranjan Rao wrote:
> Greetings,
> 
> My first post to this mailing list.
> 
> I have apache2 load balancing working perfectly based on session 
> affinity. Traffic does get directed properly to appropriate tomcat
> server.
> 
> We are trying to use same servers to serve some REST API calls.
> These calls don't have a session, however tomcat honouring the
> request does maintain some state and we would like to redirect the
> traffic to same tomcat based on some header value.
> 
> Tried searching and reading documents from apache web site, but
> have not figured it out yet.
> 
> Can I load balance based on header value? It seems to be doable,
> but could not find any example or how-to.

Which module are you using to proxy httpd -> Tomcat?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlb8H+0ACgkQ9CaO5/Lv0PC5EACgusxMWIhLosqqSi2GTgS/wCCE
1bgAnilhfPcRq1iZkLRibCHsKuZfkuFF
=vb8S
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Load balancing based on header value

2016-03-30 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Niranjan,

On 3/30/16 3:02 PM, Niranjan Rao wrote:
> I am using AJP to connect to tomcat.
> 
> Entry in the config file looks like
> 
>  BalancerMember ajp://myserver:8009
> route=node2 ProxySet lbmethod=bytraffic ProxySet
> stickysession=JSESSIONID 
> 
> Hope this answers your question.

Okay, so you are using mod_proxy_ajp.

I'm not sure how to do it in mod_proxy_ajp, but mod_jk allows the
request to override the worker to be used. I believe if you set the
JK_WORKER_NAME environment variable (for mod_jk only) that worker name
will be used. You can use whatever means in httpd to set that variable
such as mod_rewrite, etc.

I would imagine that there is a similar facility in mod_proxy_ajp.

- -chris

> On 3/30/16 2:15 PM, Niranjan Rao wrote:
 Greetings,
 
 My first post to this mailing list.
 
 I have apache2 load balancing working perfectly based on
 session affinity. Traffic does get directed properly to
 appropriate tomcat server.
 
 We are trying to use same servers to serve some REST API
 calls. These calls don't have a session, however tomcat
 honouring the request does maintain some state and we would
 like to redirect the traffic to same tomcat based on some
 header value.
 
 Tried searching and reading documents from apache web site,
 but have not figured it out yet.
 
 Can I load balance based on header value? It seems to be
 doable, but could not find any example or how-to.
> Which module are you using to proxy httpd -> Tomcat?
> 
> -chris
>> 
>> -
>>
>> 
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>> 
> 
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlb8LhYACgkQ9CaO5/Lv0PAA1ACcC9BuizMCiIORYNyCgeQ9Vt+5
CeMAn3qo01HeRt9VRbKBVy1QXZrEL6y/
=ffky
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Self-compiled httpd and OpenSSL: Trying to start httpd without using LD_LIBRARY_PATH

2016-04-07 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Daniel,

On 4/7/16 11:21 AM, Poggenpohl, Daniel wrote:
> I'm working with Solaris 11.3 32Bit.
> 
> I've compiled and installed OpenSSL 1.0.2g with SSLv2 support
> (yeah, I know, but I can't get my setup to work without it) using:

You need to fix that ... right now. When you say "my setup won't work
without it", what do you mean?

Please tell me you accidentally typed "SSLv2" instead of "SSLv3", and
meant "SSLv3".

> My system has OpenSSL 1.0.1q pre-installed.

Okay.

> I've compiled Apache HTTPD 2.4.18 with the following options: cd
> /basedir/installers/httpd-2.4.18 OPENSSLDIR=/basedir/openssl/1.0.2g
> \ PKG_CONFIG_PATH=$OPENSSLDIR/lib/pkgconfig:$PKG_CONFIG_PATH \ ; \ 
> ./configure --prefix=/basedir/apache2/2.4.18 \ --enable-rewrite
> --enable-so --enable-dav --enable-deflate \ --enable-authnz-ldap
> --enable-ldap --with-ldap \ --enable-ssl --with-ssl=$OPENSSLDIR \

Okay.

> When I export LD_LIBRARY_PATH in envvars using the OPENSSLDIR/lib, 
> apache via PHPInfo finds 1.0.2g. When I don't use LD_LIBRARY_PATH, 
> the system 1.0.1q is used.
> 
> Can I do something about this? Or is this effect because of PHP?

That's totally expected. When you compiled httpd, the
- --with-ssl=$OPENSSLDIR really only chose the library header files to
use for the compilation. Since OpenSSL is (likely) compiled as a
shared-library, the linking is actually done at runtime instead of
compile-time.

LD_LIBRARY_PATH is how dynamic linking actually locates the libraries
that will be used at runtime. Your httpd build information is not
retained, and you need to set up the environment to get what you want.

Is there a particular problem with setting LD_LIBRARY_PATH, or did you
just want to know if you could avoid it?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlcGoN0ACgkQ9CaO5/Lv0PBWUACcCTt4QOC9+nuxGqRUi1m5vI76
AC4An1vY4posMmjV5ODqG58xYNZi4DYL
=s0+x
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: AW: [users@httpd] Self-compiled httpd and OpenSSL: Trying to start httpd without using LD_LIBRARY_PATH

2016-04-07 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Daniel,

On 4/7/16 2:52 PM, Poggenpohl, Daniel wrote:
> my setup is: I have a Moodle installation I need to run. So I need
> Apache, PHP, OpenSSL, iconv, mbstring, curl, zip, etc. . The plan
> is to have a relatively new PHP (5.6.20) and stay "new" with Apache
> and OpenSSL.
> 
> [snip]
> 
> This all didn't happen when I compiled OpenSSL 1.0.2g with SSLv2 
> support, by the way (we deactivated SSLv2 in our Apache anyway,
> and SSLLabs says we're in the clear regarding to Drown). With SSLv2
> support, PHP's configure finished without a real warning. And I
> could build it as well. So I frowned and accepted SSLv2 support for
> the moment.

Okay, so:

1. Things just don't seem to work if you compile without SSLv2
2. You don't actually need it, so it's disabled everywhere

That's fine. It would be good to find out *why* SSLv2 support is
required for everything to build/run properly, but it's not an
anormous concern just to have it in the binary.

> By the way, you didn't quote my CPPFLAGS and LDFLAGS that I set. 
> Using LDFLAGS, or rather -R I understand that I can set the
> runtime search path when linking the library. When I "ldd -s
> httpd", no SSL library is necessary there. And "ldd -s
> modules/mod_ssl.so" tells me it finds the locally installed 1.0.2g
> version. So I still don't understand why I need to set
> LD_LIBRARY_PATH when the linker finds what I want.

Hmm. I'm not familiar enough with the httpd build process to know what
the exact implications of using -R are.

> Yes, I want to avoid using LD_LIBRARY_PATH, because I read about 
> methods (like using -R) that could tell libraries where they
> should look first and LD_LIBRARY_PATH seems to be a kind of last
> resort.

If -R is supposed to work, then by all means use -R. Just be aware
that if you need to upgrade OpenSSL, you either need to use a
version-independent installation path (e.g. /usr/local/openssl/current
- -- I'd recommend a symlink for this purpose), or you'll need to
recompile httpd (mod_ssl, really).

Someone else will have to comment on why -R might not be having the
intended effect.

> Notes: - Yes, OpenSSL is compiled as a shared library. - Ideally, I
> would use /latest links combined with -R to avoid recompiling.

:)

> - Do I understand the following right? -I tells the compiler where
> to look for headers during compile time. -L tells the compiler
> where to find libraries to use in linking during the build. -R
> tells the Linker where to search for libraries during runtime.

Precisely.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlcGwEcACgkQ9CaO5/Lv0PBSVwCgwaYwPlK5IjWi9l+5Qo5hk4XE
1w8AoI2JmTc9VdnK/kkwoaU/cVVRtkrA
=phx0
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Self-compiled httpd and OpenSSL: Trying to start httpd without using LD_LIBRARY_PATH

2016-04-08 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Rainer,

On 4/8/16 11:30 AM, Rainer Jung wrote:
> Am 08.04.2016 um 10:41 schrieb Rainer Canavan:
>> On Fri, Apr 8, 2016 at 12:31 AM, Yann Ylavic
>>  wrote:
>>> On Thu, Apr 7, 2016 at 5:21 PM, Poggenpohl, Daniel 
>>>  wrote:
 
 LDFLAGS="-L$OPENSSLDIR/lib -R $OPENSSLDIR/lib"
>>> 
>>> I don't know which compiler you are using, but gcc's -R is not
>>> working correctly (on Linux at least), whereas
>>> "-Wl,-rpath,$OPENSSLDIR/lib" is...
>> 
>> -R used to work for us on Solaris with gcc to compile/link/run
>> our own httpd / php / curl / openssl stack. However, I'm not sure
>> which linker we used to use. If ldd claims it's picking up the
>> correct libraries, I'd assume it should work at runtime as well.
>> In case there's any doubt, lsof may show which libraries are
>> actually used.
> 
> ... and you can check the result of the "-R" or "-Wl,-rpath"
> compilation using "elfdump":
> 
> elfdump -d /path/to/modules/mod_ssl.so
> 
> will show you exactly, what NEEDED library names the linker has put
> into mod_ssl.so and also the RPATH and RUNPATH setting it has
> written to that shared object.
> 
> You can use that command on any shared object or binary (PHP libs
> etc.). I typically use it on Solaris Sparc, but I expect it to work
> as-is on Solaris x86. On Linux the info is available via "objdump
> -p".

I'm speaking from a position of ignorance, here, but can a dynamic
library modify the main process's search path? If only mod_ssl is
compiled with the static-path to OpenSSL but httpd is not (and it's
not clear to me that httpd is missing this static-path), surely the
loadable module isn't modifying the process's library load-path, is it?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlcH1fgACgkQ9CaO5/Lv0PDj/ACgikEWnZYxThJD5o1qqFwUkeUk
SiIAoLSZk/T16ua3Qkywx8yrX1IXapgt
=b0pp
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] url forwarding

2016-04-08 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

K,

On 4/8/16 2:35 PM, K R wrote:
> I have a need to setup a redirect  for around 3000 pages which are
> in below format
> 
> http://myhost.com/index?page=content&topic=TVAR&popular=HOT-TOPIC
> --> http://myhost.com/index?page=content&topic=TVAR
> 
> and here TVAR can be  any string  (   we have now around 500
> different key e.g ALW , CAW,NYN,FLN )
> 
> Is there a way to  do get this done on apache .

Those URLs look the same to me if you ignore the "popular" URL
parameter. There is no mapping required at all. What am I missing?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlcH/zIACgkQ9CaO5/Lv0PB9rwCfVaR/veYSJ+W3toRy/v/r83VQ
L0EAoJI0eK+3IToK/IphXWeC1R5ltU6i
=kttx
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] url forwarding

2016-04-09 Thread Christopher Schultz 
K,

On 4/8/16 5:02 PM, K R wrote:
> The source url has "  &popular=HOT-TOPIC
> <http://myhost.com/index?page=content&topic=TVAR&popular=HOT-TOPIC> "
> 
>  http://myhost.com/index?page=content&topic=TVAR&popular=HOT-TOPIC
> 
> how do i remove "  &popular=HOT-TOPIC
> <http://myhost.com/index?page=content&topic=TVAR&popular=HOT-TOPIC> "
>  on the redirect 

You can use mod_rewrite to do just about anything. You can even mutate
the URL such that you don't even need to redirect the request.

Hope that helps,
-chris

> On Fri, Apr 8, 2016 at 11:57 AM, Christopher Schultz
> mailto:ch...@christopherschultz.net>> wrote:
> 
> K,
> 
> On 4/8/16 2:35 PM, K R wrote:
>> I have a need to setup a redirect  for around 3000 pages which are
>> in below format
> 
>> http://myhost.com/index?page=content&topic=TVAR&popular=HOT-TOPIC
>> --> http://myhost.com/index?page=content&topic=TVAR
> 
>> and here TVAR can be  any string  (   we have now around 500
>> different key e.g ALW , CAW,NYN,FLN )
> 
>> Is there a way to  do get this done on apache .
> 
> Those URLs look the same to me if you ignore the "popular" URL
> parameter. There is no mapping required at all. What am I missing?
> 
> -chris
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> <mailto:users-unsubscr...@httpd.apache.org>
> For additional commands, e-mail: users-h...@httpd.apache.org
> <mailto:users-h...@httpd.apache.org>
> 
> 

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] How to test my self-compiled Apache (overall and specifically LDAP)

2016-04-11 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Daniel,

On 4/11/16 12:11 PM, Poggenpohl, Daniel wrote:
> Hello everyone,
> 
> now that I have a self-compiled httpd, I of course would like to
> test its features, or rather if all features are working right when
> it is running. Is there a way to test my build in general?
> 
> One specific thing that I want to test is LDAP. I know that a
> combination of system LDAP and system SSL works in my case, but I
> also know that when I use a self-compiled LDAP, something isn't
> working right. I can do an ldapsearch on the command line, I can
> build a PHP file and use the PHP cli and it works, but when I make
> requests over http that end in the use of LDAP functions,
> something's not right. So how do I test my httpd LDAP functionality
> isolated?
> 
> My httpd build has --enable-authnz-ldap, --with-ldap,
> --with-ldap-include and --with-ldap-lib configured. I also don't
> really know - if I even need the authnz plugin (doing no basic
> authentication if I'm right) - what possible values the --with-ldap
> switch can get and what it does (I know it is for apr) - why the
> --with-ldap switch doesn't work like other switches (e.g.
> --with-ssl=/path/to/ssl) - if I even need ldap support in apache if
> I only use ldap in php scripts

If you are only using LDAP in PHP scripts, then you don't need to
compile LDAP into httpd at all.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlcL4psACgkQ9CaO5/Lv0PDOLgCgqrVJ2WcP2losW5XCTe0ZgrO4
DycAoITYkTBZ+YtQG6JQRWG/mtB86M66
=paaN
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: AW: [users@httpd] How to test my self-compiled Apache (overall and specifically LDAP)

2016-04-12 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Daniel,

On 4/12/16 3:16 AM, Poggenpohl, Daniel wrote:
> can you point me to possible scenarios where mod_ldap would be 
> necessary?

If you want to use any of these directives in your httpd
configuration, then mod_ldap will be necessary:
http://httpd.apache.org/docs/2.4/mod/mod_ldap.html
http://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html

Basically, if you want to use httpd for authentication over LDAP.

> The docs say "websites relying on backend connections to LDAP 
> servers." I can't quite grasp it. Would it only be useful if I
> don't use any LDAP libraries in my website code?

I think that is more negatives than you had intended to use in there.

The only time you need LDAP-related modules in httpd if if you want to
use LDAP-related directives. If you use LDAP through PHP, it's
completely irrelevant: PHP contains its own LDAP support.

So if you only need LDAP support within PHP itself, you can ignore all
the LDAP-related modules for httpd.

> Do you know of example websites using this?

Using what?

> Oh, and did I understand it right that authnz-ldap is for basic
> HTTP authentication using an LDAP server?

The answer to that question is insanely easy to find:
http://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html

- -chris

> -Ursprüngliche Nachricht- Von: Christopher Schultz
> [mailto:ch...@christopherschultz.net] Gesendet: Montag, 11. April
> 2016 19:45 An: users@httpd.apache.org Betreff: Re: [users@httpd]
> How to test my self-compiled Apache (overall and specifically
> LDAP)
> 
> Daniel,
> 
> On 4/11/16 12:11 PM, Poggenpohl, Daniel wrote:
>> Hello everyone,
> 
>> now that I have a self-compiled httpd, I of course would like to 
>> test its features, or rather if all features are working right
>> when it is running. Is there a way to test my build in general?
> 
>> One specific thing that I want to test is LDAP. I know that a 
>> combination of system LDAP and system SSL works in my case, but
>> I also know that when I use a self-compiled LDAP, something
>> isn't working right. I can do an ldapsearch on the command line,
>> I can build a PHP file and use the PHP cli and it works, but when
>> I make requests over http that end in the use of LDAP functions, 
>> something's not right. So how do I test my httpd LDAP
>> functionality isolated?
> 
>> My httpd build has --enable-authnz-ldap, --with-ldap, 
>> --with-ldap-include and --with-ldap-lib configured. I also don't 
>> really know - if I even need the authnz plugin (doing no basic 
>> authentication if I'm right) - what possible values the
>> --with-ldap switch can get and what it does (I know it is for
>> apr) - why the --with-ldap switch doesn't work like other
>> switches (e.g. --with-ssl=/path/to/ssl) - if I even need ldap
>> support in apache if I only use ldap in php scripts
> 
> If you are only using LDAP in PHP scripts, then you don't need to 
> compile LDAP into httpd at all.
> 
> -chris
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlcM/WIACgkQ9CaO5/Lv0PAwwQCfZuTrD7nUXmVTk7cktxWrsg81
/x4An1a18AKnlLWPvU8Pbf/ffmRlU5i/
=qkWm
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Not able to make .so file during install apache-2.4.18

2016-04-12 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hemant,

On 4/12/16 6:40 AM, Yann Ylavic wrote:
> Hello Hemant,
> 
> On Tue, Apr 12, 2016 at 10:58 AM, Hemant Chaudhary 
>  wrote:
>> While installing apache-2.4.18 on Non Stop HP,  I am not able to
>> create .so file(shared file) which is required in httpd.conf. It
>> is creating  '.a ' file in modules but not ' .so ' . Please help
>> me through this.
> 
> Did you compile Apache httpd by yourself? If so, which "./configure
> ..." command line was used?

If you can't remember, your full "configure" command should be stored
in a file called "config.nice" in the same directory as the
"configure" script.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlcM/Z0ACgkQ9CaO5/Lv0PDDYwCePHpxUG3yzITHRuMpYWAJytFM
c9oAnjpIRZe3w668omOxWBFKTuykarnJ
=UZh5
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] One page hanging entire server

2016-05-09 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

D'arcy,

On 5/9/16 2:16 PM, D'Arcy J.M. Cain wrote:
> This weekend at various times my server was brought down.  I saw
> one process using over 99% of the CPU.  No pages could be served
> while this was going on.  I found the culprit.  It was a Wordpress
> site and the script was wp-cron.php.  I stopped it by adding a line
> to wp-config.php as
> http://geektnt.com/how-to-solve-wp-cron-php-high-cpu-usage.html
> and other sites suggested.
> 
> However, I am still confused how this one process was able to block
> all other pages.  I have MaxClients set to 100 and 15 other cores
> that they can be run on.  Why didn't my server continue to serve
> requests?

What kind of response were you getting from your server when you
connected with another client? Timeout? 503? 500?

If you tried to hit another WordPress page, it probably ALSO called
wp-cron.php which tried to hit the db to check for outstanding tasks,
and that call probably got blocked by a db record or table lock.

I'm guessing this is really a question for the WordPress community.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlcw8msACgkQ9CaO5/Lv0PDhdwCfZQg66WfTk++WjLTsEBYMrnrD
QVEAnipEMAPXxPhYRlz5/zYzJ8iueHYd
=hyjH
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache mod_dav alternatives?

2016-05-22 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Bjoern,

On 5/21/16 5:08 PM, Bjoern Voigt wrote:
> I am using Apache as a web and proxy server, but I am unhappy with 
> Apache as a WebDAV file server.
> 
> I am missing a good file permission or ACL configuration in Apache
> mod_dav.
> 
> My wishlist:
> 
> * "good/flexible" permission control (important) * stable and
> secure (important) * Apache >= 2.4 based or an Apache alternative
> (important) * permission control delegable to some users (nice to
> have) * compatibility with Samba and local users (nice to have)
> 
> The Apache path-based access control with directives like
> 
>   
> require user user1 
> 
>  require group allusers  
> 
> 
> is inflexible, even in small user groups.
> 
> Do you know good alternatives? (Please do not suggest Apache < 2.4
> alternatives. Some good projects have stopped development and are
> incompatible with Apache 2.4. Apache alternatives are welcome
> too.)

mod_dav + mod_auth_ldap + LDAP server?

We use this internally and have scripts to take a somewhat simple
permission-configuration (e.g. /foo can be read by group foo and
writable by group foowriters) and produce httpd.conf-style files with
, , etc. directives for those rules.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXQlAzAAoJEBzwKT+lPKRY13gP/jP9doBi2ca0jN5ShWbKd59K
+zCbf40wPn/HPnE7WbxN+TmzMtlYeQBSeDuj9YkRHGATMfMoVgJ94CK1uWLtXmBL
/2HWfgZcB/CBDJsj4rYr5rD1DT2Z+GZZtHsXLnC+ySokCw0zSetTAz9LxWxtPv9z
VpL2/W2GM3THLYk47hAUQnLV8puHTtHGPubugHWDW3lPhY8FJjfS/PFMNktSKLz5
O4Ysxe1nk9JwxHx4WU4W/FoboH7wT8Rrph3lRejabpRXdqFhm6z2caK/a8lTysOe
FzevFLtFAI6Jqafrnew4moGBaK5LTPIerYB+vzjyhBk/Drbq87TI0IWXK2dBe3Ug
gYWb2OekFcGN8rOu5/f9aIiLhJkArM5zK7d4wHaVYZuWmu4aWKngbwu5/lq8g5au
oWOu+r7s2rsvAJg7jWjOJkHNPFvsjwjpX8N68borcK6ke2Ojw805gj29KDrQLq9k
Yt8koS6CMhUXLaMlqB+v9bYkBErUH1jW4LryQW8jXSagN0I+hOLRZT3xB5exWmfC
PvwKVQFhU8N9NFS6/csjMZHSmVa/i3Q8rQDldWT54CqUIFeq7X3W5s5T3KJtHnkx
ntL1HiO6AdiEABmdBZDZ2eJbMiNmhLDWnALvQ2ZAd5mwb/a1TZlJR08odtwds4gg
pYaFHWZpvjF1LtIan4Do
=UNgs
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Secured connection between Apache Httpd and Tomcat over AJP protocol

2016-05-25 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Mohanavelu,

On 5/25/16 10:16 AM, Mohanavelu Subramanian wrote:
> Hi All,
> 
> Good Morning.
> 
> I have Httpd process and Tomcat instances both running on 2
> different machines. The communication between them happens through
> AJP protocol (mod_jk) which doesnt support encryption. But we are
> using some features of mod_jk like automatic passing of security
> information like SSL certificate to tomcat which inturn is accessed
> in our application, validated and verified.
> 
> Now, we have requirement to make the communication between them as
> Secured. Since AJP doesnt support encryption, I came to know that
> we need to use SSH, IPSec. But I could not find any proper document
> to configure SSH or IPSec for AJP. Could please share if you any.
> 
> I have considered mod_proxy_http as well for supporting security
> which is easy to configure as well. But as I mentioned above we are
> already making use mod_jk features. Again it will require more
> efforts to migrate from mod_jk to mod_proxy_http.

https://wiki.apache.org/tomcat/AJP%20with%20stunnel

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAldFywUACgkQ9CaO5/Lv0PD+HgCfRLwHwEDFFPXcWUhHNUQw/E6o
BH0An2M8pvWl/RNK+K3dNOJRQSDoTgtC
=INoF
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] SVN checkout of latest official Apache release

2016-06-09 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Mike,

On 6/8/16 12:10 PM, Mike Rumph wrote:
> 
> On 6/7/2016 5:54 PM, Balcos, Michael wrote:
>> 
>> Hi Mike,
>> 
>> 
>> 
>> Thank you for the reply. I believe that I’ll have to write a
>> script in order to know what is the latest official release of
>> Apache 2.2 under 
>> https://svn.apache.org/repos/asf/httpd/httpd/tags , and then do a
>> svn checkout on the said release. I need to automatically get the
>> latest official release of Apache 2.2 (and 2.4). I will proceed
>> to write the script with the information you’ve given. Thanks
>> again. J
>> 
>> 
>> 
> Hello Michael,
> 
> Forgot to mention the obvious. The easiest way to know the latest
> official release version numbers is from the Apache HTTP Server
> project home page:  http://httpd.apache.org/

I think Michael was hoping for an "always current" URL he could hit, lik
e:

$ svn co https://svn.apache.org/repos/asf/httpd/httpd/tags/2.2.x-latest

A redirect that sent that to
https://svn.apache.org/repos/asf/httpd/httpd/tags/2.2.31 would be kind
of nice.

That would allow an automated script to always pull the latest
version, rather than having to screen-scrape the project home page.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAldZ0mAACgkQ9CaO5/Lv0PAELgCfZ5G7u0jpheEUihuMu6RNabtV
1ooAoLxx0f3+lprDn4rlD+6c0d2lV3f4
=G3Dd
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] LetsEncrypt.org with Virtual Hosting

2016-06-14 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Filipe,

On 6/14/16 3:15 PM, Filipe Cifali wrote:
> Your are probably hitting the wrong cert file, check with:
> 
> |openssl s_client -connect example.info:443
> |
> 
> You can also try to disable the first SSL and check if you hit the
> right one after.

You may have to do this:

$ openssl s_client -connect ip_addr:443 -servername 'example.info'

This will allow you to connect to a local test machine and still tell
the server that you are trying to connect to example.info.

Rich,

Why are you using example.info instead of your actual domain name?

- -chris

> On Tue, Jun 14, 2016 at 4:08 PM,  > wrote:
> 
> For some time, I have been hosting about 10 sites unencrypted.
> But since people other than just myself will be using my
> squirrelmail, I decided to encrypt my server.  I had delayed it
> simply because keys are too expensive to buy, but now I learned
> about LetsEncrypt.org and have been working in that direction.
> 
> So far, I moved two websites over to this server, example.com 
>  and example.info .  My 
> first test of the LetsEncrypt software was of the form of:
> 
> # letsencrypt-auto -apache -d example.com 
> 
> but I ran into a caveat with www.example.com 
>  not being accepted.  I decided to re-run 
> with the other domain included as well, so I did the remaining
> three combinations:
> 
> #letsencrypt-auto -apache -d www.example.com 
>  -d example.info  -d 
> www.example.info 
> 
> The conf files for the sites are fairly straight-forward in my 
> mind.  There are four of them:
> 
> #/etc/apache2/sites-available/80-example.com
>    
> ServerAdmin webmaster@localhost DocumentRoot
> /var/www/example.com/public_html/ 
>  ErrorLog
> ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log
> combined ServerName example.com  ServerAlias
> www.example.com   
> 
> 
> #/etc/apache2/sites-available/443-example.com
>    
> ServerAdmin webmas...@example.com  
> DocumentRoot /var/www/example.com/public_html/ 
>  ErrorLog
> ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log
> combined SSLCertificateFile
> /etc/letsencrypt/live/example.com/fullchain.pem 
>  SSLCertificateKeyFile
> /etc/letsencrypt/live/example.com/privkey.pem 
>  Include
> /etc/letsencrypt/options-ssl-apache.conf ServerName example.com
>  ServerAlias www.example.com
>   
> 
> #/etc/apache2/sites-available/80-example.info
>    
> ServerAdmin webmaster@localhost DocumentRoot
> /var/www/example.info/public_html/ 
>  ErrorLog
> ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log
> combined ServerName example.info  ServerAlias
> www.example.info   
> 
> 
> #/etc/apache2/sites-available/443-example.info
>    
> ServerAdmin webmas...@example.info  
> DocumentRoot /var/www/example.info/public_html/ 
>  ErrorLog
> ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log
> combined SSLCertificateFile
> /etc/letsencrypt/live/example.com/fullchain.pem 
>  SSLCertificateKeyFile
> /etc/letsencrypt/live/example.com/privkey.pem 
>  Include
> /etc/letsencrypt/options-ssl-apache.conf ServerName example.info
>  ServerAlias www.example.info
>  
> 
> Notice that SSLCertificateFile and SSLCertificateKeyFile are the 
> same for both of the domains, because they use the same key of 
> example.com .  The website, example.com 
>  works perfectly fine.  But example.info 
>  has serious problems (On the order of 
> NET::ERR_CERT_COMMON_NAME_INVALID).  Who has an idea on how to fix 
> this?  I can't experiment too much because I'm limited to 5 keys
> per week so learning this myself is a very slow-track process.
> 
> There are a number of HOWTO documents out there, but there is very 
> wide variance in their steps that I have little confidence in
> them, but have chosen one and decided to try at it.  Once I get
> this established, I promise to write a blog article explaining the 
> procedure a little bit better
> 
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>  For additional
>

Re: [users@httpd] find IP and PORT in use by Apache

2016-06-21 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mahmood,

On 6/21/16 2:29 PM, Mahmood N wrote:
> How can I find which IP:PORT Apache web server is monitoring? There
> are some network commands (netstat -pat), but they show the TCP
> port in use. The machine has multiple network interfaces and the
> |Listen| section in |httpd.conf| is commented. So, one of the is
> used by default and I don't know which one is set as default.

netstat will show the interface in use as well as the port number.

> Any idea to find that? The linux is Cenos-6.1 running rocks.

The only directive that causes Apache to listen on a network interface
is "Listen".

Remember that "Include" can be used to include other configuration
files, so if you are searching only httpd.conf, you may need to look
in other files as well.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXaYlsAAoJEBzwKT+lPKRYHPMQAJlXoJsitHD46+DHSzl1sHrQ
HzLY/K3nkA8xPfZU9rwhvxUXsXDjsoLPSx+egGkJzu+DMJQVVRzJBtPNdxc46ERO
/YgJGAJzLgAZ0Z/HZQO/TBRcuQltH0xYidbsPezCJyH7le7Voih2N20E3jrqqXIZ
ZYlc6HhqhRZ3lV3GZBqlM3PNtf5gzadxCIpBiMQeSH/Rrhaq6y3J3a+O7RfqwIlO
rit5GWYDd5P3GIFgo7nrr3quKXl8qyVB/Zq1cfZzVOWLR2JKIp2QhqOK/Q5eWIvg
pqex2ztpMVJdCM8hVT3B6kcx4Zkfo2gvg/UjTW2QLsMJos6L83GO5w7/bWagYc6Y
Y3MJp2R3aqHS/kRieVVN+Bn6c5VF8cIBS1tQvEaZXM/elG2IALY01PxJrYatE5QO
+AegdtizKyqk22p2weCYL08MJXH6GR6XzSlWuQmwxvFCeDcK2GtFqUfy8MvE7Ak+
rn5ejV7pFJ+ywhaj3JmYogefckvS4Tr+4HqgIHhJsLkszMFWdWCeMKTWILhNBnVL
7FzcvBXsg/ryOS9LS8WAawnYSHQJK3a3G5+ADDRFJtsFJ4nRDYJlI8gi6YfVYh0y
IFXzn1WT/2UEl2yRJ87L7hTMFF8mftFBH5JGlWPR5MrJeEcMiMisoR8hBLJqUBv2
OLXp5MWIyoj38sSZQ7JG
=COPy
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] find IP and PORT in use by Apache

2016-06-21 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mahmood,

On 6/21/16 2:45 PM, Mahmood N wrote:
>> tcp 0 0 0.0.0.0:5666 0.0.0.0:* LISTEN 28122/xinetd Shows the
>> port, 5666, the PID, 28122, and the program name, xinetd
> So, you still don't know what is the IP address (network
> interface)? I mean eth0, eth1 and ...
> 
> Mine is different!
> 
> root@cluster:~# netstat -pat | grep httpd tcp0  0
> *:ulistproc *:* LISTEN  3940/httpd tcp
> 0  0 *:https *:* LISTEN
> 3940/httpd

It helps if you don't grep-out the header line that tells you what the
fields mean:

$ sudo netstat -pat | grep '\(^Proto\|httpd\)'
Proto Recv-Q Send-Q Local Address   Foreign Address
  State   PID/Program name
tcp0  0 *:http  *:*
  LISTEN  1362/httpd
tcp0  0 *:81*:*
  LISTEN  1362/httpd
tcp0  0 *:https *:*
  LISTEN  1362/httpd

The fourth column tells you the local address, and the "*" means "all
interfaces".

If you use the "-n" switch, you'll get:

tcp0  0 :::80   :::*
  LISTEN  1362/httpd
tcp0  0 :::81   :::*
  LISTEN  1362/httpd
tcp0  0 :::443  :::*
  LISTEN  1362/httpd

So you can see the IP address is "::" (IPv6 "unspecified address")
which means the same thing.

>> The only directive that causes Apache to listen on a network
>> interface is "Listen".
> 
> As I said, that section is commented. So, there should be a default
> ethX and port.

The default interface is always "all interfaces". IF you want to
listen on a specific interface, then do:

Listen 172.20.54.10:80

https://httpd.apache.org/docs/current/mod/mpm_common.html#listen

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXaY5AAAoJEBzwKT+lPKRY3Z8QAJrvzXMBShddQxhIGcfRoWf0
kRHTCT1MF8tDK8xClJQzq/gDXO2Zcvdc6HGWU5Kdx+3si0RLlHi9bOpZL/jzJBuu
Bu3QtveAfEeoh+BIZuIrgLK5QLVRkE+jZGXK82xeDdFQSHAMVz078JysDJha1rCK
AnPf28NMJ4SJaKv1j1ai/8rzFNYO5/uYWQdfcl1job07Je0msdbcfPAw+aG4FV+z
Y1XFzhhFn0nAXZvLSMB+IQYiQHpsE7Mre7LKXlkpi/M4930pBauWjaFiPULgVTHu
dqJxLyTUsw3eCZ+56dcWz2bqh6sOUrk16rUezG0WCZW3piOgS98AG29s7aBuzm2X
n1FAteifWHaHULw28neX49cfpqQlYOvt97nFUaBqH1wcVpIprXA3sldzwe7BYz6S
SpyeRziG7slQD5y68t+Zo2/spJbu/jnIptywGAJyinvhcq/RvsuXo0vHHPwPzIAW
E65qqHNN1BFinlkRQWN1SbJ14xQO/EziPa/RN9qmlhz8tMweSQrpb2iHG/tIij2R
1V6umfjGYZQth5POcI8QaCnx+yMMP1gCh4HXp2wxVUDLgw1GN40PSqPGdezjaWfr
Zj3jif53qvN1Qj57SEETWF3x1Qfff68Un1GM+t8nsEicfnhBcUYePmN+DCHxCNsh
5LixcYjFtA3KfmimkJi7
=N1l5
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] find IP and PORT in use by Apache

2016-06-21 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mahmood,

On 6/21/16 2:54 PM, Mahmood N wrote:
> You know, the problem is that compute nodes in Rocks distribution
> use Apache web server to locate the install image. Currently, the
> compute node, says Unable to retrieve 
> http://10.10.10.1/install/rocks-dist/x86_64/images/install.img 
> 
> 
> The guys on Rocks mailing list suggested that
> 
> 
> 
> the root of webserver tree is: /var/www/html the install
> subdirectory is soft-linked to /export/rocks/install if the
> webserver can't find the install.img, then your distro is likely 
> corrupted. To fix that problem: # cd /export/rocks/install; rocks
> create distro If you have somehow changed the configuration of the
> webserver on your frontend, you need to figure out what was
> changed.
> 
> 
> 
> However, the soft link is present
> 
> root@cluster:~# ls -l /var/www/html/ total 36 lrwxrwxrwx  1 root
> root   30 Apr 29  2014 blast -> /opt/bio/ncbi/network/wwwblast 
> drwxr-xr-x  2 root root 4096 May  2 15:46 download drwxr-xr-x 17
> root root 4096 Apr 29  2014 ganglia drwxr-xr-x  4 root root 4096
> Apr 29  2014 gromacs drwxr-xr-x  2 root root 4096 Apr 29  2014
> images -rw-r--r--  1 root root0 May  1 14:28 index.h lrwxrwxrwx
> 1 root root   21 Apr 29  2014 install -> /export/rocks/install 
> drwxr-xr-x  2 root root 4096 Apr 29  2014 misc drwxr-xr-x  9 root
> root 4096 Apr 29  2014 phpsysinfo -rw-r--r--  1 root root0 Apr
> 29  2014 robots.txt drwxr-xr-x 14 root root 4096 Apr 29  2014
> roll-documentation drwxr-xr-x  3 root root 4096 Apr 29  2014 rss 
> drwxr-xr-x 24 root root 4096 Jun  1 03:09 tripwire
> 
> root@cluster:~# ls -l /export/rocks/install total 20 drwxr-xr-x  3
> root root 4096 Apr 29  2014 contrib drwxr-xr-x  3 root root 4096
> Apr 29  2014 rocks-dist drwxr-xr-x 17 root root 4096 Apr 29  2014
> rolls drwxr-xr-x  2 root root 4096 Apr 29  2014 sbin drwxr-xr-x  3
> root root 4096 Apr 29  2014 site-profiles
> 
> 
> 
> The front end (the head node) has not been rebooted for more than
> 2 months, and I have some how configured the httpd for some tests!
> 
> Now I see that something went wrong.
> 
> Do you have any idea?

$ ls -l /var/www/html/install/rocks-dist/x86_64/images/install.img

If there is a file there, check:

1. Directory read-permissions for all directories in the above path
(ensure that the httpd user/group can execute)

2. Symlinks are allowed in /var/www/html (this will be an "Options"
directive in httpd.conf)

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXabUZAAoJEBzwKT+lPKRYIHoP/jeLeM+/Su0rOD8QzclHtJVl
nuAryFKjTyo3JtcemNhfJ3u8/htRxyJJYfuBSt0qbStKr/pTl8r2E7fS5SjAM9A6
+/sndQaFcWXpRkikr1y8Axax30V8iXp6oml0zp0Y5ztGQTHe9mZqRwY9bXcB5Uar
8H1GZGUC17EoqAD9qKeCuDYMOIddukweNFKQnyv0oOFHjzOyfpiF9rJ9aeHXVi03
/BwRirVypackvs1qah+fqcswg9qsjQ66mel+H1DjMTzBf8sk0ZISHNO64dd57BIq
RJS/oJiTf82aS7UCJAUkB7QG8pBc3b2wTbkXQNYLevM9KDt88c2bYUPqP9HNxsTb
eIRPIVqqOlgKuAJhI1zGDalnCEGXuXPm2HEhSaoBXw6gaBTzIbTi3YGLGTJDY6+x
DrM37Iz/iiqRohiH2YJG4yZ9/poqc7LcGqDhfaRoIDTFadjDJ0JsHDJ7rWyxSwko
DkXkIkqnmGM5Wl9Q7SmhsNEq7walwmH2BwiGA7K0XhlguRajep8MvtyAyJWsPR4l
NbuFlN92gdjtMHU+7WHqT53gFnSaq5Bs475W/WprXlBUOpNlLvW2fdF1ChuYzFLu
h3w2QSyoBWYxw3iFnEOTyJHGe1Dt2csWvb4KbhrgDKHf+bEg3plIJC8dHlBsKK+5
SBuf4PdMQqjQhV3Tql/1
=d0RY
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] find IP and PORT in use by Apache

2016-06-21 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mahmood,

On 6/21/16 5:43 PM, Christopher Schultz wrote:
> Mahmood,
> 
> On 6/21/16 2:54 PM, Mahmood N wrote:
>> You know, the problem is that compute nodes in Rocks
>> distribution use Apache web server to locate the install image.
>> Currently, the compute node, says Unable to retrieve 
>> http://10.10.10.1/install/rocks-dist/x86_64/images/install.img 
>> <http://10.10.10.1/install/rocks-dist/x86_64/images/install.img>
> 
>> The guys on Rocks mailing list suggested that
> 
> 
> 
>> the root of webserver tree is: /var/www/html the install 
>> subdirectory is soft-linked to /export/rocks/install if the 
>> webserver can't find the install.img, then your distro is likely
>>  corrupted. To fix that problem: # cd /export/rocks/install;
>> rocks create distro If you have somehow changed the configuration
>> of the webserver on your frontend, you need to figure out what
>> was changed.
> 
> 
> 
>> However, the soft link is present
> 
>> root@cluster:~# ls -l /var/www/html/ total 36 lrwxrwxrwx  1 root 
>> root   30 Apr 29  2014 blast -> /opt/bio/ncbi/network/wwwblast 
>> drwxr-xr-x  2 root root 4096 May  2 15:46 download drwxr-xr-x 17 
>> root root 4096 Apr 29  2014 ganglia drwxr-xr-x  4 root root 4096 
>> Apr 29  2014 gromacs drwxr-xr-x  2 root root 4096 Apr 29  2014 
>> images -rw-r--r--  1 root root0 May  1 14:28 index.h
>> lrwxrwxrwx 1 root root   21 Apr 29  2014 install ->
>> /export/rocks/install drwxr-xr-x  2 root root 4096 Apr 29  2014
>> misc drwxr-xr-x  9 root root 4096 Apr 29  2014 phpsysinfo
>> -rw-r--r--  1 root root0 Apr 29  2014 robots.txt drwxr-xr-x
>> 14 root root 4096 Apr 29  2014 roll-documentation drwxr-xr-x  3
>> root root 4096 Apr 29  2014 rss drwxr-xr-x 24 root root 4096 Jun
>> 1 03:09 tripwire
> 
>> root@cluster:~# ls -l /export/rocks/install total 20 drwxr-xr-x
>> 3 root root 4096 Apr 29  2014 contrib drwxr-xr-x  3 root root
>> 4096 Apr 29  2014 rocks-dist drwxr-xr-x 17 root root 4096 Apr 29
>> 2014 rolls drwxr-xr-x  2 root root 4096 Apr 29  2014 sbin
>> drwxr-xr-x  3 root root 4096 Apr 29  2014 site-profiles
> 
> 
> 
>> The front end (the head node) has not been rebooted for more
>> than 2 months, and I have some how configured the httpd for some
>> tests!
> 
>> Now I see that something went wrong.
> 
>> Do you have any idea?
> 
> $ ls -l /var/www/html/install/rocks-dist/x86_64/images/install.img
> 
> If there is a file there, check:
> 
> 1. Directory read-permissions for all directories in the above
> path (ensure that the httpd user/group can execute)
> 
> 2. Symlinks are allowed in /var/www/html (this will be an
> "Options" directive in httpd.conf)

Also, log files are good things to look at.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXabc1AAoJEBzwKT+lPKRYnpAP/R3/kGwyZVdG1uRANEHJ3oyH
ef4RlGAtqwxA6o/whFlF5SDoHSod+MoRQbJDL1uopm3bNUg0jpzzELNFV9/IK598
MmVScQg4xhvGT9Z/hf0PYr+1Ytbz7lu8xQp9rLxjZn5W8jHbcYuhA8oZTB7ws2vD
lzyZAi952G37bzBknz5FKNgf9ztzDGAkypB4kiiAzEXXwuUy36F2RZNX9Tm0cQ7Z
MV/m94Ezx2FDdHwowtJfvvSYvy/knxNT8cVyzZ9kmFOteUM7MlUBJBZCAqvxZCk1
hhV7V8qbIjC/A9J87Ir+Kg8yia+FuJ0KTxMa50OGn8kJL3J3c9sR/JcCeAKlMilv
LiyZjWf1cCbyRG1vTNC7xdtJ0Pl+wnZdp8u5XsKjA5luqI1JKLeufGmaOK+UaZOd
2OHZWaGIiYLg+1UTt7TUVj7BVsQ/W1lSEAeaxXp7gpmC3M9C1IE4jhD1lkARDV9H
Gfvf/aNxHDVYo9vPI0jrudan4TWjTdcVGmFnAQ2RQ+HW4xggwfu+jzLN2J9vXK18
4axBcoSJ1hr4k7ABXGKHiwToifW/Qd75i2kYRDh9AzXYzu1KkABSRkoQqYXfj7sg
baI4XUJRedldHSh1HynDc7LSBa2joPboDsXuKjVXkKBRWWgu7VWey901auy3NQGe
alqDWj+lqmnLhU5799oN
=MgJp
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Location location location

2016-07-18 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

All,

I have a long-standing configuration for a private server where all
users must authenticate against our LDAP server. Something like this:


  AuthType Basic
  Require ldap-group mygroup


I'm trying to use certbot to get a TLS certificate for this domain
from Let's Encrypt, and I'm having trouble getting LE access to the
server: I keep getting "401 Authentication Required" responses.

I changed the configuration to the following:


  Order allow,deny
  Allow from all
  Require all granted


  AuthType Basic
  Require ldap-group mygroup


And restarted. My LDAP stuff still works, but I can't access the
"/.well-known/" URL space without authenticating.

I don't have any other authentication-related items in this VirtualHost.

I believe by putting the exception-Location first in the configuration
file, I should be able to trump the general configuration affecting
the "/" URL-space, right?

Thanks,
- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXjRuEAAoJEBzwKT+lPKRYDZYQAJcvDQ+hmK36CEBA9jdDnBwY
p1SG/6dhB/dA6aUrn2O8BLKBnyQKZKeNvm4M4U0tDyxpgvbjivsvW38ZpQjfyi4s
BnJJtaBB1NRVC+/NGGy2iry47cRTRXjibY+CCpL6zKp4R1G0DcustjA8xS6k3PRd
7GTaViUJaHQ53tDT2lJRHhhG6QGunyUtzUBvF4+LaM2rGW0AOk7UrHreNeMibfNc
1k7LDlM6Y2m7k9GoKGy1sN0mpFIzC64xEsEunGN6Qk8OzCdUeOJShCm/T7Ka3rvE
uZp5LT5foqXLxJ56HiBqNyHo44s0KHuu5LX9CiPLInwyWNFKE2gxcTbKfyfZG5L6
ZBZbGYCqoptTO9nNDxa1uJ87UwfLseEf5YcbP+GAORmrllfi6o8dLgm1umN/KETK
auRqyrCFy+yTc6j24SRdqAB9p25RVm5FFsrRZcyIOlUos4hPnYhl5PZOs04qik0a
6LXbTTFvc8zBLSDUbZS0rSN/czvfc6R1kovvBZ9RfE6q4asg/ftAelTOF3Gef/TQ
JEE4zuBOTP/M1V6wXdjKMx0CZ4yL9GTJFHz5jMFEWXSwgzTuazAgN0q1PE2pk+94
sI/eDMJ1U3DnT8R/1ueYcPkEJF6yH7+z/HmOubx9/gSBZyWlGYUEu3CMxhqh0xIh
k96615lXGbZ1c3qCY9tG
=1Zj1
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Location location location

2016-07-18 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Eric,

On 7/18/16 2:12 PM, Eric Covener wrote:
> On Mon, Jul 18, 2016 at 2:10 PM, Christopher Schultz 
>  wrote:
>> I believe by putting the exception-Location first in the
>> configuration file, I should be able to trump the general
>> configuration affecting the "/" URL-space, right?
> 
> 
> Matching location sections get merged together in the order they 
> appear.  Meaning the 2nd is applied on top of the 1st.
> 
> For authorization, the default is to replace.  Meaning your
> override should be 2nd.
> 
> You might have some addl complexity by using the compat module for 
> Order here. I would avoid it!

I tried:


 Require ldap-group



 Require all granted


... and I'm still getting 401 responses. :(

(In fact I tried it before posting, 'cause I didn't want to make an
idiot of myself for not trying an obvious alternative!).

Hmm... it seems I'm running Apache 2.2.22 with whatever Debian has
back-ported to it (I assumed it was 2.4, since we have that deployed
nearly everywhere these days). Does that change the incantation I need
to replace the "Require" directive in the .well-known Location?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXjR/QAAoJEBzwKT+lPKRYaeUP/RF6emHi2DgT97xRDp7xoXb3
fNU+PrluzhjIGuqnYCGnpvcQ18fVa75R6qLITyH/hCquJKCNR9qZ+I3AQr//HH5O
FWVHcZxS0is1yxugG6Dl+hghIAPKfCd7gbPDoJnirGQoxQwTFnvdPcOyYUK16X1N
KerTDq0LGJTASWGFxO/eifvrtcHy84aCjQSQtfqBboJpoOBzf57cZVEW4hU0e0jl
vghsxSjyo7hWhCRQI3zyj34nnKjznVHOObNM9DKQXTBcHrR+L3UFx5nhHN6GwrdP
KbNCngPWYLHd0Vh2+WR7URzQ2ehO89jEvd9y0RwZbeBnU8DFLEAoWZJEFo0/kfTf
ZEdvtkC9OEeEHldSIwNri68QSKoDGoYuGVtlT2kaPbCoqcpYq5xYoME/GHl067DX
7vARHZtUjOvFVAZxGxRdI2LWe/Nh1ZaErG8f1OlWTCv7vnr11vOFfdQi8zYydW/l
L//4SqZ4ZJxgBTp4qMaLQArRtio03sA7YTIM0h/m8qdL7F2beSn8IE6PmDEVrwak
Pm6P3Z9asp/hGtlrLw9V/+mIjH8vQD9IonJh+ewM3ea7xI3/qNGHcx6Q1Llhd6I+
mPWGrBMyftrINPKdspdoRFvWWH3up5d3tmFbA5dGDoRPqjg51SSkioFjfkIuJGx6
B2h41PDPlLYcY8sP7xyV
=O9+B
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Is it possible to set different protocol for particular User-Agent?

2016-08-09 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Daniel,

On 8/3/16 4:55 AM, Daniel wrote:
> No, by the time the user agent or any actual http data gets to be
> seen the protocol/cipher and complete ssl connection has already
> been stablished.
> 
> 2016-08-02 23:26 GMT+02:00 ghost  >:
> 
> Hello there,
> 
> I was trying to show a notice page to IE6 users since my site 
> doesn't support SSLv3 anymore. And the problem is how to enable 
> SSLv3 only for IE otherwise the IE6 users won't be able to see the
> page.
> 
> I found some tricks about '' in the documentation, which 
> allows me to set different protocol and cipher suites for
> particular URL. I wonder if there is a method to set the protocol
> for particular UA?
> 
> Thanks, ghost

There *is* a way to do this.. kind of. I did it long ago when we were
thinking about changing our protocol support, etc. I no longer have
the configuration, so I'll explain what we did:

1. Configure mod_ssl for the lowest protocol/ciphers you will support
2. Use  and/or  to change the TLS protocol
requirements for truly sensitive communication
3. Use mod_rewrite to check for certain protocols / ciphers and
redirect to a "protocol support is being dropped" page
4. Set a cookie when the user ACKs the protocol support change

It's messy, but it works.

The real solution is to simply disable SSLv3 since everybody has done
it already. MSIE6 can just die.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXqf2XAAoJEBzwKT+lPKRYfiYP/3/2pY4U3V4YFCEkpY/N7VjP
uTO7PWb8f7GvNW7X0BT0RMkq1bhdw1N8lV6xWfouMgOAjwPYoHjLMHOyDFIdJUu/
5CA77bt7k4tijXHqJE3eINY4MJZ6Z/4XC41UYeSDTJBXdVFnEW/H2kOBC8yIWaQm
vQrDp5a8TEWCQ3UMU5UiBlT2X/7qAd0GK6KUW4z+PC09u/packXspZ+cfs+O7h7I
JDK8rRflIqVL1jELVRrqbj6js8jTgONV9PN7ArEGrWdiZG7ARaXM5C+BO6LN1zqf
qlW7tBRL6OksFaBreA4plhgCQOZjyGNb+LgXB/3xWF0Qb5fx+02Fzwdc14Cf4Im7
yIMYPAhSq+Myt9i5dFl5dustsYk39Gy9ro0gRulsXhPcrqiip6ldCHahN3sn1R03
u+HRIFIMYySmr+SKkdZK+JQ7Y/Qvtyw0RCkLReidwLhKqTkf9F3gVVcmQUqYLk7g
E3UiXsioy9TMiywbE8RSKC+8E+L0OG4kv5s4EHZ11F8ja38cDqrGdXOFt1L6yk/S
T801Oh4uMfJalpfTrlDUeOINB4G27G621tfZHBpjE42vO2Hle0BV2tmp9WzPDjwz
6sFCfKmn/cDT3vCiegxlsE2XtiADRPexHdoEzWm9m8ZoQGVW65ip0RkNUFcjmf2q
KQZGC5YToFII1lj5wE49
=UN7o
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] HTTPD asking for password after power failure

2016-08-12 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

All,

On 8/11/16 11:10 PM, Marat Khalili wrote:
> From what I saw, this behavior of /dev/random is totally normal on
> an idle Linux system.

There seems to be some confusion about /dev/random on Linux systems.
Yes, the behavior described here is normal: when the system comes up,
there is very little entropy available on /dev/random. /dev/random
needs random events to occur in order to provide that entropy, and
those events are things like I/O interrupt timings, etc.

IIRC, Linux relies on the keyboard to generate lots of those events
and, on a server, the keyboard by definition doesn't get used. So
other events are required to fill that entropy pool. So, after a
reboot, the entropy pool is "shallow".

/dev/random is supposed to be a source of high-quality randomness
/dev/urandom is supposed to be a source of low-quality randomness

> Just do not ever use /dev/random.

The choice of which to use is up to you, but remember that low-quality
randomness gets you low-quality crypto keys. But to say that one
should "not ever use /dev/random" is really bad advice.

- -chris

[1] https://en.wikipedia.org/wiki//dev/random#Linux

> --
> 
> With Best Regards, Marat Khalili
> 
> On July 30, 2016 6:04:42 AM GMT+03:00, Nick Williams 
>  wrote:
> 
> It took me a while to get back to this (it’s not a
> mission-critical server, but I have hit a point where I really do
> need to get it working again).
> 
> `apachectl restart` hung for many, many minutes without any input, 
> and I eventually quit it. I ran it again with `strace -Ff
> apachectl restart`. Towards the end it had read all of the vhost
> config files and opened up the request and error logs configured in
> them, and it read the media types config file:
> 
> [pid 22537] read(35, "# This file maps Internet media "..., 4096) =
> 4096
> 
> But after that is where things got weird:
> 
> [pid 22537] mmap(NULL, 8192, PROT_READ|PROT_WRITE, 
> MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f73aff27000 [pid 22537]
> open("/dev/random", O_RDONLY|O_CLOEXEC) = 35 [pid 22537] read(35, "
> p$\242\33\241", 1024) = 6 [pid 22537] read(35,
> "\205\31\345\274A\336", 1018) = 6 [pid 22537] read(35,
> "\335\16\7\370\343\311", 1012) = 6 [pid 22537] read(35,
> "\265\362\20}F\234", 1006) = 6 [pid 22537] read(35,
> "\223}\\\0+\242", 1000) = 6 [pid 22537] read(35,
> 
> Each `read` line there took about a full minute. It’s spending 
> FOREVER reading from /dev/random. That led me to try to read from 
> /dev/random, and it is only generating a byte every few seconds. I 
> don’t know why, but /dev/random appears to be borked on this
> machine.
> 
> I changed ssl-global.conf to use /dev/urandom instead of 
> /dev/random, and it started right up in a matter of seconds.
> 
> I know this is now off-topic, but does anyone know why /dev/random 
> would suddenly be gathering almost no entropy? I have never had
> this problem on this system before.
> 
> Thanks,
> 
> Nick
> 
>> On Jul 16, 2016, at 9:56 PM, Frank Gingras > > wrote:
>> 
>> Try to use apachectl restart instead to bypass your init
>> scripts. The latter are likely to hide actual errors that would
>> appear on STDERR.
>> 
>> If apachectl restart still gives you that error, perhaps your 
>> distro mangled it as well. Then, I would use strace with httpd
>> -X to get the complete picture.
>> 
>> On Sat, Jul 16, 2016 at 6:47 AM, Nicholas Williams 
>> > > wrote:
>> 
>> I have a server running OpenSUSE 42.1 with stock Apache HTTPD 2
>> installed from the package manager. It has been running without
>> issue for well over a year. We've restarted the service and the
>> server since then without issue. The service always starts  on
>> its own when the server boots.
>> 
>> Last night we had a power failure. The sever came up fine. All 
>> services, including MySQL, started fine. No obvious issues appear
>> anywhere. But HTTPD didn't start automatically. So I logged in to
>> the server to investigate and try to start it.
>> 
>> `service apache2 status` said FAILED with no details. 
>> `/var/log/apache2/error_log` showed nothing since the day before
>> the power failure.
>> 
>> `service apache2 start` hung for about 2 minutes, and then said
>> FAILED with no details. `/var/log/apache2/error_log` still showed
>> nothing since the day before the power failure. There was nothing
>> in the system log since my log-in to the server.
>> 
>> So I tried `strace -Ff service apache2 start`. The only thing I
>> see suspicious is it calls open on 
>> `/run/systemd/ask-password-block`. It appears it times out after
>> never receiving a password. But I have no idea why it would do
>> that. None of my SSL certificates have passphrases, and I've
>> always been able to start HTTPD without a password.
>> 
>> I'm at a loss here. Any suggestions?
>> 
>> Thanks,
>> 
>> Nick 
>> -
>>
>> 
To unsubscribe,

Re: [users@httpd] How to restart apache after reboot on ubuntu 16.04?

2016-08-17 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256



On 8/17/16 4:12 PM, Dr James Smith wrote:
> It may be possible to write your own auto-renewal script
> relatively easily for LetsEncrypt. I have done for Apache as (a) I
> don't use the standard paths and setup, (b) I wish to use HPKP on
> my servers for additional security and "Lets Encrypt" auto scripts
> generate a new key each time which breaks this (the signature
> changes and is unpredictable) - so my script generates a lets
> encrypt request with the appropriate key (either the same OR the
> backup key I've already generated) I now have a relatively simple
> script which reads my config file and generates keys accordingly if
> required (the only thing it doesn't do is restart the server for
> the new certificates to be read) but it does inform me this is
> happening. It shouldn't be to difficult for nginx to do similar

It might be nice to provide a patch to certbot for that kind of thing.
Others would certainly appreciate it.

- -chris

> On 17/08/2016 20:23, R wrote:
>> It seemed like the auto-renewal process for ssl from LetsEncrypt
>> is not supported yet for nginx, at least according to this
>> article on its publication date:
>> 
>> https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-
with-let-s-encrypt-on-ubuntu-16-04
>>
>>
>> 
My needs are really simple and I wanted to go with whichever would be
>> simpler to setup.
>> 
>> On Wed, Aug 17, 2016 at 2:50 PM, Dr James Smith
>> mailto:j...@sanger.ac.uk>> wrote:
>> 
>> Depends on your backends - nginx is good if it is serving 
>> primarily static files and or proxying back to quick responding 
>> backends. It seems to be less well suited to slower/heavier 
>> backends. Apache always seems to work - slower mind you - but 
>> always seems to work... So if reliability is your requirement
>> then nginx may be a problem!
>> 
>> 
>> 
>> On 17/08/2016 19:41, Erik Dobák wrote:
>> 
>> why did not you use nginx anyway? should be faster and modern. 
>> did not have the chance to try that yet myself. still using
>> apache everywhere.
>> 
>> On 17 August 2016 at 03:18, R > > wrote:
>> 
>> Ugh sorry, I had a test installation of nginx on the machine,
>> which was not fully removed after doing "apt-get remove". Looks
>> like it would still start up somehow. After I purged nginx, then
>> apache2 started ok after reboot.
>> 
>> Thanks
>> 
>> On Tue, Aug 16, 2016 at 8:57 PM, R > > wrote:
>> 
>> Hi, this is everything from cat /var/log/apache2/error.log:
>> 
>> [Mon Aug 15 13:42:17.138117 2016] [mpm_event:notice] [pid
>> 26081:tid 139773925775232] AH00489: Apache/2.4.18 (Ubuntu) 
>> configured -- resuming normal operations [Mon Aug 15
>> 13:42:17.138282 2016] [core:notice] [pid 26081:tid 
>> 139773925775232] AH00094: Command line: '/usr/sbin/apache2' [Mon
>> Aug 15 14:55:14.003814 2016] [mpm_event:notice] [pid 26081:tid 
>> 139773925775232] AH00493: SIGUSR1 received.  Doing graceful
>> restart AH00112: Warning: DocumentRoot 
>> [/var/lib/letsencrypt/tls_sni_01_page/] does not exist AH00558:
>> apache2: Could not reliably determine the server's fully 
>> qualified domain name, using 127.0.1.1. Set the 'ServerName'
>> directive globally to suppress this message [Mon Aug 15
>> 14:55:14.054552 2016] [ssl:warn] [pid 26081:tid 139773925775232]
>> AH01906:x:0 server certificate is a CA certificate 
>> (BasicConstraints: CA == TRUE !?) [Mon Aug 15 14:55:14.054736
>> 2016] [mpm_event:notice] [pid 26081:tid 139773925775232] AH00489:
>> Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g-fips configured -- resuming
>> normal operations [Mon Aug 15 14:55:14.054747 2016] [core:notice]
>> [pid 26081:tid 139773925775232] AH00094: Command line: 
>> '/usr/sbin/apache2' [Mon Aug 15 14:55:20.854353 2016
>> ] [mpm_event:notice] [pid 26081:tid 
>> 139773925775232] AH00493: SIGUSR1 received.  Doing graceful
>> restart AH00558: apache2: Could not reliably determine the 
>> server's fully qualified domain name, using 127.0.1.1. Set the 
>> 'ServerName' directive globally to suppress this message [Mon Aug
>> 15 14:55:20.865056 2016] [mpm_event:notice] [pid 26081:tid 
>> 139773925775232] AH00489: Apache/2.4.18 (Ubuntu) configured --
>> resuming normal operations [Mon Aug 15 14:55:20.865076 2016]
>> [core:notice] [pid 26081:tid 139773925775232] AH00094: Command
>> line: '/usr/sbin/apache2' [Mon Aug 15 14:55:23.807722 2016
>> ] [mpm_event:notice] [pid 26081:tid 
>> 139773925775232] AH00493: SIGUSR1 received.  Doing graceful
>> restart AH00558: apache2: Could not reliably determine the 
>> server's fully qualified domain name, using 127.0.1.1. Set the 
>> 'ServerName' directive globally to suppress this message [Mon Aug
>> 15 14:55:23.840209 2016] [mpm_event:notice] [pid 26081:tid 
>> 139773925775232] AH00489: Apache/2.4.18 (Ubuntu) 
>> OpenSSL/1.0.2g-fips configured -- resuming normal operations [Mon
>> Aug 15 14:55:23.840217 2016] [core:notice] [pid 26081:tid 
>> 139773925

[users@httpd] authnz_ldap with fallback to file

2016-08-21 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

All,

(Running Apache 2.2.22 with Debian patches)

I've got some services that use LDAP for authentication. One specific
service is our Nagios monitor. When the LDAP service is down, we get
notifications that (duh) it's down, but because Nagios uses LDAP for
authentication, we can't login to the monitoring console to ACK the erro
r.

So I'd like to set up a fall-back for one or two users to allow them
to do this kind of thing for this specific circumstance.

This is what I have right now for LDAP auth:

AuthType Basic
AuthBasicProvider ldap
Require ldap-group cn=nagios,ou=groups,dc=my-dc

At first, I was thinking of modifying the above to something like this:

AuthType Basic
AuthBasicProvider ldap file
Require ldap-group cn=nagios,ou=groups,dc=my-dc
Require valid-user
## Multiple REQUIREs will allow any matching criterion

The problem with the above is that ldap-group will require a group
only from ldap, but valid-user would allow ANY USER from the LDAP
server, so I would no longer be able to get my LDAP group requirement
to apply.

Is there any way to combine these two authentication mechanisms (ldap,
file) such that I can require an ldap-group for the LDAP users and a
valid-user ONLY FROM THE FILE?

I'm fairly confident that I could do this with a backup LDAP server
(even on localhost with only a few users ... or a complete backup if I
wanted) but that's a lot of infrastructure to set up for what I was
hoping could be a quick-and-dirty fall-back solution.

Any ideas?

Thanks,
- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXued+AAoJEBzwKT+lPKRYQ4YP/RInLuiAgmh9vNcTJtLMOg/H
HbGYJ2+3wnzNJVVIanSDHdBwMM9xTGfRU20whKV2pXOuQI1VTBbVnv+liDOcmse6
lUOpYJyr8QB/mkx+Je77ICJnemd+TZiHJwnGHJPplJxT2jQXOlFMv9b+tBql9fNd
tPiTjKlN5wiWEJEvKnWpPmeGnqys9ZP6pOnUAPtWU8HDPyEiof0cgtwikwx4b6Gx
+RYuP+qNa60UcKq1hY0trqLR+9GTSmsdsx5LUXFNwXAZoqy5ltLis+/RFsz5ZIvw
03deeqhLR2xYUaekcKecnJ6Zk5M5beGt7elEpwG+YqKxLNXlmjOoNGpYllh5sSIq
1yLjwayjyyIcjnOguN3S7qZl3Ybaw3Oh0lOxSH4Jmx4LjgOGlFcZc1JqO7YwtF2C
RMvOUuH8830ZGFEZEC1Xb466+KUc/3xuj7I3uRA2Vkjf8htA0pX7xp3ZUrb8RGkx
t+3rg1cwn/wk5UC8nZUybhzDrbgbv2dJoobC4ZkUTVfhyGKI4aluwuCBYoPYjzlc
76EHk3NF3vlyCrx8uoeWHH2ElN8kbt9n4jH5zP3WuvBPRx7Bn1EDNLysFGHUjAur
WDfPzfg12iFg8bX9pR6AEweZVsGkmpXBd6kO0FgnC2imVtitCvHpGjYqMsUDxnj7
bL9Uu5ui7jPOpE0i+6gu
=HHir
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] authnz_ldap with fallback to file

2016-08-23 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Eric,

On 8/21/16 1:42 PM, Eric Covener wrote:
> On Sun, Aug 21, 2016 at 1:40 PM, Christopher Schultz 
>  wrote:
>> Is there any way to combine these two authentication mechanisms
>> (ldap, file) such that I can require an ldap-group for the LDAP
>> users and a valid-user ONLY FROM THE FILE?
> 
> You could put all the flat-file users in a authz_groupfile group
> and check that with Require.

I've never looked at authz_groupfile. I'll have a look at that.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXvK9wAAoJEBzwKT+lPKRY1QkP+QHn9vcFfY138nMeGZSaM6aO
p/1k8CNlZYe6zIKC6h9TapPGmsJi/o1Qd1z3fl9T92gcyRiF+WrQIEPudJGH+qna
RwJPPJ6TUCKOMIWAzKK8fYICK5/qbbJFuceDz604yXPi+Hp5/2BtgGBp6vDicCud
0NjhI0J/iRq04PE+tksKd8QsKeuwl/btldTw03jV6slPGvw8VoO8rthUGFCltO/7
kVNaQFv7WvkfOt8J6byhRz4M8eso5cLXY8MGMffBNQTtGh7gallM2bx27K7Hw70O
YkqoyukyKg0isfRZD5aIB5xviGREc7/a0ipcUsnQc/D7OkSTnIMxyft64hd90dGM
WxovEQgrNvE9E2S2M+HDNWhm5kMitIfxnsk4r7uRK3p7rh5K6VUn6HSlNBOluIT3
4iB2ZkxaiMGeYZg18TLOiCC3kOxKhqqdKlpPBXe0hMDSmA39xR6N865Je26b5ieb
UC3cuS4xboBb9h8tqhSF8MvCqkjhunwIqVOLU0/X0Xi8FV8tsMt16GeFGW2ds9Pt
eJ3cZI+vF2gt7EeI5AS51YU7Xo0e0fr/WsIqc/i6g3D+8/ysTDQj8A5dBh9wJuuZ
hR5Tpnhe0FGTsCUbZVw6gySX2dbLG0y13dKBO0W89s2EXHWZIeYhN58emfpPr4uJ
h7gfYv6kNjENJgudq8oY
=MKMe
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] httpd session timeout

2016-08-23 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Roger,

On 8/23/16 4:26 PM, Roger Paanini wrote:
> Folks, I have tried to configure httpd with session timeout but it
> does not seem to work. My httpd.conf has the following:
> 
> Session on SessionMaxAge 1 AuthType Basic ***
> 
> I was trying to put a timeout value of 1 sec just to test. This is
> not working. Am I missing something?
> 
> Thanks for any pointers on this.

How are you testing it? What did you expect? What happened if it
wasn't what you expected?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXvLIwAAoJEBzwKT+lPKRYWnAP/Ax2yBWc8laAbRC3jKTA7TlI
3Y5kfIrJi8tiNfzga/PXUWR82b6KmjMbXD5VKlD98YFFJhOjlMF8JSqV1MQIX1Lu
v9mfjkasfwhapPGtlksecNzJEA2KtSS+sLZfg5m1gPmv9R8sH5A6aFICmwVs87b8
DcZK/e/4STGvzGs6hGwQGaSgDDT3H4UFZqrLPCHx/jK85wNDkIZ+rHodzsLXjD9Y
/St2ER0bCWr090v0s/sKqKP28g7WrXBCiqh/MpCnIJ70B798GEmGI3sXnepFKSWV
1IzsK8J8KAufGY24XCgRMXad1TshaftnPiTIGmZ6pPesyq8sc4Rr8FN/Mo7xvR3Z
eSZYCJd639Ir76MHikCjVhgRzWphh82PN+9wf9hA7snk0yt+uFEsrcxTlURdErbB
0XWW7lKSor7R+OksK9HmL3izhEyNymXiOryRy5wBa2emlCajCoczy8XYy9CffkNq
OM81k343CdbdjLO5Z7AUdTIbnZjx5zGS9r6nVcf5uyg5j70ZuOyE1P6zft94KR4S
b6R2UMWUJ9aku7tzwP1cSox3DRSnhAI6VPXuwYiJYAZo6+kSTLCs0gW3Jb1q5nWj
1IF2lsGvZIqH0yqxZ49rgvYSnkCdp+pp3ZVFHfDED9LBD4B90tRzlQFI4QF0w5YV
TLNlGhmIB+eqb5dW9LnK
=9Yn+
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] httpd session timeout

2016-08-24 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Roger,

On 8/24/16 9:53 AM, Roger Paanini wrote:
> Chris, I am testing it by logging into the website using basic 
> authentication and then waiting for the time out duration and try
> to access the page again. I am expecting to be challenged for
> credentials again when I tried to access the page after the
> timeout. But I am never challenged after the timeout - ever after
> several hours beyond the timeout value.

You are misunderstanding the nature of HTTP BASIC authentication.

If the server sends a 403 response, your browser will show an
authentication dialog (username/password) and then provide those
credentials to the server with a follow-up request for the same
resource. For subsequent requests, those same credentials will be sent
with no end-date. HTTP BASIC has no provision for "session expiration"
as a part of the spec (that's why it's called "BASIC").

If you want to *really* expire the session and request a new
authentication challenge, you'll need to do it yourself. For example:
when authentication succeeds, place a token in the session that says
"last authenticated request". But before you do that, check the
session to see when the last authenticated request actually was. If it
was more than e.g. 60 seconds ago, *you* need to respond with an HTTP
403 response. httpd is not going to do this for you.

> But I see the following messages in my log file... I suspect my
> session modules are not configured correctly?

I'm sure your session modules are configured correctly. You just
misunderstand what the protocol (and httpd) can do for you, and what
you will have to do yourself.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXvb1IAAoJEBzwKT+lPKRYu9wQAMCaHmD1G4xNoUgClAJffnlf
kbhRF1hpjCmmGuOHqa19hbbttj0JuadNsFugAuRc0eSpJ0DUe/zlGZuX/YqitZLU
uiVCQVtXQ8nScmC/9WQjkSCB6NHJRXtUINItReu87NEGaWNUDeglyIHCerWK/zw/
yIUykBTT6qsxGL/i14W7ijL8GM9oN37jdlK+Bpakp8jMYChkbduYJVL3X70DxgyD
+oA7hzkq7Gjrmoj8BwJY1OhPnTELj22YTe6mr3KqephTmMN6LC9PWRzeLFgIN0ad
DBFnFKoMJxSAobvpoG40xeFIGWZAnNVmzHDJbHGllvgeD6X6i3ojH29U9kMSFutL
TOy8tBVCJQDe0e2LxXUbW5Imc1j4bXfMIkqBB3EVJB8oU8Fi9yygvcKCpy6WZkFp
n/q6uh3nu9jqHGQfyFviRmS0iEGMxoPSbKnnEzITOR7LPRUYaitiNPPbjie37ySi
kl/w4/1EzWzDd2HQf1wXd0b/UD+ach5S0KjgDVoTiESuc35EJCe2+bPYavoVtOZu
egYhEBIsc0ffcs3cz8cY3/66djGsKVtsJNHuXOnxAw/WTs2gFKSwOr3C0ARp4MBY
Zc1WPx7UqnYVDrG7bLDxvPKJsK/clD9Av++192dgB6M+VOmYepWFFaUYkfvScnsP
0S/3bmTlc6HKfTcldyNK
=ZqEH
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] 32 bit - httpd-2.2.31 Binary distribution for linux

2016-08-30 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Manjusha,

On 8/30/16 4:09 AM, Gole, Manjusha (Manjusha) wrote:
> Does anyone has a 32 bit - httpd-2.2.31 Binary distribution for
> linux? Can anyone share instructions to build one?

Most Linux distributions have httpd available through the package
manager. What are you running and why doesn't the existing package
meet your needs?

httpd is fairly easy to build on Linux. Do you have a
compiler/toolchain already installed?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXxZBTAAoJEBzwKT+lPKRY0IcP/0btM1+l9L8ronFpFLJXWq8w
TMrPJwGi8gu/upeaJDRDtltZik0dYK2sry9hxJpdIfl3UEO3sRNfjvVYfshH1O0U
9ttenEi6wM2VHy1ABbndEfbJ08Hy1DxiTIMfP5kdhrJ2x7grtIAhoVxsBYQkG8bS
G/ubqv43dxZqD7Chof19+PvIhcC39MYXBoJ4wQPqiivBOWyVIwVQ4rlqIsbIkQK2
CDa7mfBJ7+dMcyO8Qt9Oq41z8t5wIFciVxfMsxXSwYVcogFJCpnM8v9p/iHacXFv
AYBpOA7aMthU0Z/e/zTlFdSlFpZ7kaxVN3lrFP37Px+g3dQQGrplS/XDwppj6Cf1
vgkyoI9GPFxisMJ4pnOEseWYlx24XGS+tvQHQQaA0cbgVebNMCucdW9UsQhpRBAW
4CYMwIgEcqrJyxqiVZbXdxTU5CWctcIu4ESwdS7Pdd0S2fI+32u1EEzOAS3XfDRi
D1FEPPbVfoZ9l2j/SJpMjDmF5XB9heBVoLNlTXINa6ojvfNx8+gndYQ8s7fHwesc
MaOJfV7FT8I0PgIjBKLOQE0Tt3/PDwbVrhhfK5SMVLL/vl7v7OcomNdW/pffuiKL
p0pUoYS8qJO7k8pOcyFsPVqdHPu1kcdrY9GcOgOXJWxwBUP+7X0+trvy1LvTAevX
0maulPZbZ+pU3bXo7d/I
=P5T1
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] questions about IPv6 and SSL

2016-08-31 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Andreas,

On 8/31/16 10:56 AM, Andreas Meyer wrote:
> Just subscribed to this list because people reported my web server
> is not reachable anymore.
> 
> A few days ago I added IPv6-connectivity to the web server and
> changed the Listen-directives and the VitrualHost to also listen to
> the IPv6-Address on port 443.

Please post your "Listen" and "VirtualHost" directive lines from your
config file.

> There is a redirect from http to https. The website is not
> reachable anymore, not certificates are found.

Those are two different problems:

 1. Certificates are not found
 2. Web site is not reachable

One may cause the other.

What error message to you get, and where?

> Is a fix possible and how? Every hint welcome!

You can definitely fix this. httpd definitely works with IPv6, SSL,
and redirects. :)

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXx0vkAAoJEBzwKT+lPKRYxJgQAKCz6QYLtllqD/3Fp/KBxquY
236u1XRtC64qy4THr3TpZNVyUQs8+ODYzF2zRhoW3gvp6U4OkBPZ+t4ErM8hM1Ru
YX47rDIk9uqGMvVCliraydcbkpSzGuXQoWkcx0pJHWLgEYLFH9TQakRjlBGXxFqS
L1RqrBg7nyhV7PJ/WbUvzD1m1LJ6tK6yoalFg2T3CaEGuJRO1jiSJ9L7famk5RrN
RX/Q/LH6eHqlXeVzYC7GjIZQTm12+83HhjadX3M9BtloM988F+buOiz1jR28ZgmO
OXWqFEfKATffwZUUNfDDBcAR12ACgz1xsXc9u609LsF7DLBkPUh60xfYWl/ayAQn
bSKzHejVxVI6sTK6kIL9BVjaG/JjBV/kFednSvKCbYZEGsHVEDuDeXpmqYsiMumU
xO2fw3OEz303DNzkFrn2wCuow5ZEBKHNfj1RYptiMigFQwRvLSZRI/FnnDlhXFaI
j3e3POwrjuk4mX9cyirscea91Is3R7+h+epAn7KP756w1/R34VtKWfwc5FmH/4TC
/gkRO4PkPbUr6Wx6T4wQZHyZbgGIiLsyEWNZe0DXAmZHpZ9fV4nKQw621V8he356
PU/bLF1KwDKWLyJTZWa9/hu9KLDtNVUD503QFGSDVBwyooZ9N4zcmxkHJV/Gi0se
MGVnWK+0kzzzxQgdUSkU
=wL8A
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] questions about IPv6 and SSL

2016-08-31 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Andreas,

On 8/31/16 6:05 PM, Andreas Meyer wrote:
> Christopher Schultz  schrieb am
> 31.08.16 um 17:28:04 Uhr:
> 
>>> A few days ago I added IPv6-connectivity to the web server and 
>>> changed the Listen-directives and the VitrualHost to also
>>> listen to the IPv6-Address on port 443.
>> 
>> Please post your "Listen" and "VirtualHost" directive lines from
>> your config file.
> 
> This is the part of listen.conf:
> 
> Listen 127.0.0.1:80 Listen 37.120.166.21:80 Listen
> 46.38.231.143:80 Listen [2a03:4000:6:4123::1]:80
> 
>   IfModule mod_ssl.c>

Missing < in the previous line. Typo or copy/paste error?

> Listen 127.0.0.1:443 Listen 37.120.166.21:443 Listen
> 46.38.231.143:443 Listen [2a03:4000:6:4123::1]:443
> 
>   
> 
> and in the VirtualHost I just added
> 
> 
> 
> RewriteCond %{HTTPS} off RewriteRule ^(.*)$
> https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
> 
> and in the sslvhost  [2a03:4000:6:4123::1]:443>

This plus the above are likely to be confusing: you have separate
VirtualHosts bound to the same interface with no port specification.

Try this:


   ...


   ...


Note that you haven't specified a VirtualHost for localhost and
whatever 46.38.231.143 is.

Which interface are you using for testing?

Do any of the ports work? Does httpd even start up?

> tried also with a separate 
> 
>>> There is a redirect from http to https. The website is not 
>>> reachable anymore, not certificates are found.
>> 
>> Those are two different problems:
>> 
>> 1. Certificates are not found
> 
> The certificate are there. If I disable the IPV6 things, they are
> found.

Woah, what?

When you say "disable IPv6", what do you mean? How are you changing
your configuration?

>> 2. Web site is not reachable
>> 
>> One may cause the other.
>> 
>> What error message to you get, and where?
> 
> The thing is, I didn't notice the website is not reachable 'cause
> my testings with my IPv6 connection showed no errors.

That statement is confusing to me. Can you clarify it?

> ping from outside:
> 
> andreas@workstation:/> ping6 2a03:4000:6:4123::1 PING
> 2a03:4000:6:4123::1(2a03:4000:6:4123::1) 56 data bytes 64 bytes
> from 2a03:4000:6:4123::1: icmp_seq=1 ttl=58 time=33.2 ms 64 bytes
> from 2a03:4000:6:4123::1: icmp_seq=2 ttl=58 time=33.1 ms 64 bytes
> from 2a03:4000:6:4123::1: icmp_seq=3 ttl=58 time=30.9 ms ^C
> 
> People then reported the site is not reachable, for instance:
> 
> Firefox-Fehlermeldung: Ein Fehler ist während einer Verbindung mit
> www.bitcorner.de aufgetreten. SSL hat einen Eintrag erhalten, der
> die maximal erlaubte Länge überschritten hat. Fehlercode: 
> SSL_ERROR_RX_RECORD_TOO_LONG
> 
> Curl: error (35): error:140770FC:SSL
> routines:SSL23_GET_SERVER_HELLO:unknown protocol]

That usually happens when you (correctly) disable SSLv3 and someone
tries to use an SSLv3 handshake with your site. That doesn't
necessarily mean that your site is misconfigured.

> Wget: wget "https://www.bitcorner.de/bshop/products.csv"; 
> --2016-08-31 15:21:12--
> https://www.bitcorner.de/bshop/products.csv Resolving
> www.bitcorner.de (www.bitcorner.de)... 37.120.166.21, 
> 2a03:4000:6:4123::1 Connecting to www.bitcorner.de
> (www.bitcorner.de)|37.120.166.21|:443... connected. GnuTLS: An
> unexpected TLS packet was received. Unable to establish SSL
> connection.

How about this:

$ openssl s_client -tls1 -connect www.bitcorner.de:443

Here's what I get when I try SSLv3:

$ openssl s_client -ssl3 -connect www.bitcorner.de:443
CONNECTED(0003)
5966:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenS
SL098-59.60.1/src/ssl/s3_pkt.c:1145:SSL
alert number 40
5966:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenS
SL098-59.60.1/src/ssl/s3_pkt.c:566:

Using TLSv1, I get better results:

$ openssl s_client -tls1 -connect www.bitcorner.de:443
CONNECTED(0003)
depth=1 /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
verify return:0
- ---
Certificate chain
 0 s:/CN=bitcorner.de
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
- ---
[...]
- ---
SSL handshake has read 4652 bytes and written 682 bytes
- ---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session

Re: [users@httpd] Apache losing its connection from Tomcat in few minutes

2016-09-06 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

James,

On 9/4/16 5:16 AM, Dr James Smith wrote:
> You don't give enough information about the setup to solve any of
> your problems really.
> 
> Are the apache/tomcat/cms on the same box or different
> 
> We have seen big problems with mod_jk when there are firewalls
> involved (so much so we don't use it any more but use mod_proxy
> instead) - connections are severed by the firewall - you need to
> look up "tcp keep alive" settings for your connections - but even
> then that doesn't help - mod_jk doesn't handle this situation
> well... (ditto nginx, mod_fcgi etc none of them really handle any
> form of flakyness when it comes to network well)

I've been using mod_jk for quite a few years (both with and without
firewalls) and never had any problems. The trick is that you have you
have configure it correctly, just like you'd have to
properly-configure mod_proxy as well.

mod_jk uses a permanent-connection to the backend, and you have to
arrange to have those connections re-established if they drop. You
want to pair the connection_pool_timeout in mod_jk (in sec) with the
connectionTimeout in Tomcat (in ms) to make sure that both sides of
the channel will hang up the phone after an appropriate interval. Use
of CPING/CPONG can help ensure that the connection hasn't been dropped
by the firewall.

I suspect that Jayaram's problem is either a mismatched pair of
connection_pool_timeout/connectionTimeout settings, or a value that is
less than the idle-timeout on the firewall.

Hope that helps,
- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXztjUAAoJEBzwKT+lPKRY8MwP/jA123QoWtrYgUSKoOF/8qy/
WPa32ZFhcM3zdpmT5+Im6z7yt7m/v8jGYugd1/hvCWFX2VSuqOAIdGxxwI2OC2eq
KRWvOgS0PgIwVWvzt7qPp5wILXcmWq0u9OuaXEpgVjKS7AZjPBcsbgi/54n65zkn
Ac3lRvSgodZzmNGR6sO+FoUgUF9QnVcXcYJhVJVEb7kzFRSfN32XsIGzB9Z4Q2I9
+WN1F57qcWQrWwsq0Sth+7+E8SnLEhcTuCqultun4tC8Klhh9D63FKMd5L1kgDfZ
cxqvxNwxcJUiRzrPjnBd7x9+R3GJ4chUgfq4a8DCXQntkochJEOtgsjOszqjAsl9
3vY3SwDeenzMpd0fwJ8aAhOShWDUSx3BoqV5PmfbrVCNGGA4BH0GIk6kqF37sh6p
lBGgW/DjBV8Qk0P4vkk7ieuzv/czMDcuCRgGAAdlHImu/Z9PaWGhckqy0o+35hRj
TtCoTlzHPyeAGFaqpD7kkUnHqbduv9QokhLE7xgRGUtaqk0/u0xCpNex208sR2oG
WIzBJbfgu5JeSzPXstNGZtvkNEZl+Y5NAvGcAM/2hhmjR405nilfyrSRl6XkH5Te
j2Vn4sRfpMxFe6gwe8KOqVHLaRVJk06GNhUUPrF6haATV2sDEC4B7kTCQYSXt2Oe
pWHH9rRs5IKKKRu7yeDK
=z0xI
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] problem compiling apache

2016-09-20 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Pavol,

On 9/20/16 3:07 PM, Pavol Eisenberg wrote:
> Hello
> 
> After I've tried to upgrade my openssl 1.0.2 (ubuntu default) to
> Openssl 1.1.0 I cannot compile apache with ssl anymore.I also
> reverse to openssl 1.0.2 but the problem still remain.
> 
> Can someone point me how to fix this to have working ssl with
> apache ?
> 
> Here is my current compile output :
> 
> 
> /usr/share/apr-1.0/build/libtool --silent --mode=link 
> x86_64-linux-gnu-gcc  -pthread   -L/usr/local/lib -lssl -lcrypto
> \ -o ab  ab.lo   /usr/lib/x86_64-linux-gnu/libaprutil-1.la 
>  /usr/lib/x86_64-linux-gnu/libapr-1.la 
>  -lm ab.o: In function `main': 
> ab.c:(.text+0x62a8): undefined reference to `SSLv2_client_method' 
> ab.c:(.text+0x653c): undefined reference to `CRYPTO_malloc_init' 
> collect2: error: ld returned 1 exit status Makefile:73: recipe for
> target 'ab' failed make[2]: *** [ab] Error 1
> 
> many thanks for help

httpd source version?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJX4Yr8AAoJEBzwKT+lPKRYn/kQAIctRZy+WykFxc2oGVFzHyWu
PYFHp2zYlex0RornTV7SbAtvNAn9c6OajUHxHVpOT4Hg4V42VqA/SwvxlTzUPYIm
QuUqml3/uEi/ue0mn/ziCCcfs8jm94H4Wz9jakHD2Mw/TzpiFyhGu1XfXoqNgpxd
vALzIyejcwhHCoXIpjZe4ivCUZZ5WIIqnGLoiOcOOkprvT2TsSLlRyTXhbMOjWpt
tm+FmtoFPiFo721Jp+R5/S/S/7+zhaqfzKXYGqnhfBboEhFhugZF1qbdHP9sflCF
p5sOe22s+IiuIuQ1sIZFVtrG0WCGjdY82UB6NEs3+S7CQXBz0D1JAr7xkIZzQhWm
c1fN8mQEO/VzMNysvWyk3NlVUmkPTxX/8dETkxjCb6VWRnr5s/DPw1HFoh5Ps27e
oCHi95sLDXMheUMjCWJ4OyWh/95JU8fCjfOytdyddhFnPHVamANWS6CPVPtModMU
JJSfyBRKVURtN2pemAEq8tBg8prBH1VnLKCehb+yDBU/8yDuCqpBm3xAHciDjMoH
WMqHs8BfMbB0QKAKOpSGjbBvfyW0TTUqEJPzTuSJYTvYdwcOt22rlyBW81qw7nZk
IoyByEk90lfiiElNaBuhI95lFTU+ZejzekJQz+Ro0ZMS3pP29NLjdfxqMNOAG4fI
XbgGozBpggqp/Jx/OJbj
=/B6C
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Showing exact filesize in bytes instead of shortform in directory listing

2016-09-30 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Cie,

On 9/30/16 5:59 AM, Cie wrote:
> In Apache server 2.4, when activating the IndexOptions
> +FancyIndexing in the httpd.conf, the directory listing shows the
> file size of a file like in the following example:
> 
> exported_file.pdf 2.1M
> 
> The file size display is accumulated to Kilobytes (K) or Megabyte
> (M). The exact file size is 2176555 bytes, but instead "2.1M" is
> shown.
> 
> Is there a way to configure Apache server to show the exact file
> size in bytes in the directory listing? I had a look into the
> Apache documentation of [mod_autoindex]
> http://httpd.apache.org/docs/2.4/mod/mod_autoindex.html but have
> not found anything suitable.
> 
> Background: I want to mirror the directory with lftp, and lftp can
> not read the given filesize correctly out of the index. So lftp has
> to make HEAD requests to get the file size for each file. The
> additional HEAD requests would be not necessary if the index
> returns the exact file size.
> 
> Thank you very much and kind regards

It sounds like this is a good candidate for a web service which
returns exactly the information you need and no more. For example, if
you were to return the list of files and their file sizes as a CSV or
something simpler than an HTML document, you would be able to do it
even more easily.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJX7m7hAAoJEBzwKT+lPKRYjKQP/j3V6tkCYgcvpb4NTcJ3NkZm
TImeJAtJ8tUBFgAho9pWBUSyV43SSnR6ZI4Qv6bAEYyvcJyJPW85O0trpqvCxcKU
EIPBKr/dnTp8OCHcnz/7ZiL17mDPuzNwTart7GUlYHDN++W7PP3JgZuJ6awkVNyN
pmlHrSqLmaQOLlJ52w2PqPrqmCs8tz3VoTtkpMxTlGjvqaFHD83f2zKD/IYJDNpq
k6TpsOkVEzHPEYJNuC9Kp6acxRURVjLFZWdEHM4sKSmYTIo465KW71XJpeEr4g96
2uBIAs/GRZO0OLgY5yfH2b0SvYbrof+j4KF6CaabtI1ZSZIvwFhLIQmK7wNr4FU1
uYCPrauEi8vUsFGhC7E1/YJfHj/8cpfTgrHXGtBdGoMq1iOv/DL3filIIVwf0Li8
Kcj8Vc0uR8hm2lQqrWasfw3grCmoXR2Sykk8pxY4FghlWB2VrnO8FNyaE4u/pXrw
3nv/KvCICxIRKDwCM4GiaKCtG4NIkl5pU1XBhgZmA7x/Zg6gJ8yidPscxO5YiVqT
XUudc4h5DCpVXvCkkcIX+b47Ec7ZTclpx5YDS7C0Gq+fBVwMmDnMNCLriE1pEObN
ubRJeTgzGubfp40wJqztJv8aqXyGMqF/AXDnOD6cy1yj5NU3RFp3GYPKsCuDJJ1o
Kr4m8DImijTsPMnO5110
=1iUT
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Fine Tuning Apache 2.4 on AWS EC2 t2.medium Instance

2016-10-01 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Tony,

On 10/1/16 4:36 PM, Tony DiLoreto wrote:
> All,
> 
> I'm at my wits end trying to simply run Apache 2.4 on my Amazon
> EC2 server. There are dozens of stackoverflow and websites, but
> the suggestions do not seem to work on my instance.
> 
> *Hardware*
> 
> * Amazon EC2 Instance * t2.medium (2 VCPUs, 4GB RAM, 1GB Swap
> added)
> 
> *Software*
> 
> * Base Amazon Unix distro * Apache 2.4, PHP 5 (no mysql) via
> Amazon instructions:
> http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/install-LAMP.html
>
>  Shortly after installation, I'm finding the serve grinds to a
> halt. Apache eats 95% of total memory, to the point where I cannot
> run base unix commands like 'ls'. Looking for recommendations on:
> 
> * which modules I can safely disable (those that few very users
> need) * _exact_ values for maxConnectionsPerChild,
> maxRequestWorkers, etc.
> 
> That leaves me with 1GB free for the operating system. My
> Wordpress website will not be serving more than 10k
> pageviews/month, and never more than 20 at any given moment.
> 
> Any recommendations?? Thanks in advance!

Weird, httpd takes up 95% of RAM? What modules do you have enabled?
Does it eat all that RAM if you don't make any requests? Which MPM are
you using?

What if you disable mod_php and temporarily disable Wordpress? Does it
behave nicely, then?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJX8CO3AAoJEBzwKT+lPKRYh3sQAMHZLeDqI/F80Ksdi1z+BrOf
ZZ6t2regMseG5cTUtNFIJMb5LmOy56JjvxPZXmu4o9kyRPqSs3he3bxwBI4aAHWR
gVQBxWonqFkwsBEpr4u3q30nZN8LchZGPXTQcw7+/SLbP7EBaFnTiEhPPEwj374H
XFEyTkh0tv3Hd4q85W8OwgcENHm8IyTA8FuqhUr0xtVsfxhA6xvqcrz34rdYoYW5
FlHQclK7t2pqsSWjRJh6fnFwrS8u8xEtsFfRWhinkNAJpOCch4vnKOgSWeBF3zH+
tuNiGbP3FX+Ge85WZFLY68xCUSPOWPPPl8du7BSsAX2f2JLyBjtt12435qPE2tez
b1hHMrrkQZGyWFzxl4GR5kkH9Qp/nTkqFLBCPcFzH7DHHJJJC4NyYPTff8PRDFrT
Xw5BIkghiT7+d1hPLiUyaGrsu9leZUVIozXT3KvgPIsQiIff6gZovj2QEgM6QZT8
qhEkHjj41RZksNHJ41BxLiZIqclkXlbWdfIBUtzeRYWEZG/FCwLbzH+B1mfj0nJn
hqGC0J8lZs3d2l/Ws/sNu9xz5qGv/ZcKSynToZXq8Pb/zorjSJGqOS13BTeh0Dz2
PsDBkcPQ4jymVU/Vt668q3Jm7TI3Ip0cigKxzBhA9cUJebuIv9YI98zBnuPRh5RE
E62pt8xp0IX25O3M0GxX
=dWd7
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Copyright notices in httpd source files

2016-12-28 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

All,

Is it common to have a copyright notice in httpd C source files?

Jim committed a donation of code for HAProxy's PROXY protocol in
r1776076 and later. (Thanks, by the way: I've been hoping to get this
in 2.4 for a while so consider me a big (karma-less) +1 for back-port
of this module).

The C source
https://svn.apache.org/viewvc/httpd/httpd/trunk/modules/filters/mod_prox
y_protocol.c?view=markup&pathrev=1776076
file contains this copyright claim:

Copyright 2014 Cloudzilla Inc.

I haven't pulled the source to see if other such claims exist in other
source files, but I have never noticed a copyright claim in other ASF
projects.

Is this a simple oversight or should the copyright notice remain?

Thanks,
- -chris

PS Special thanks to Dan Ruggeri who was working on this independently
of the donation with me, and who missed his own commit of virtually
the same code by a few hours.
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYZEBhAAoJEBzwKT+lPKRYMTQQALHTwsO8Xba/UtAxKoh7lwhj
Uwh/J61NR21okbb+1Kl3I3kCXAqBs61gKkEAvVZYCVIPkO6tSFW/zSlVWsebC0GD
erM9BLAk8UHfD5gEI3i6JwP+umbYleLQJOcbGbLObG6sOfsdKHcMQJ3jl2mNCFCJ
QozZQy4BQBjCw9GA5n9QJBVA04vYBAG4IKCgD6UqtrKp+9AJzfNv0fjkAHx+X6Jo
Ec5YtRsvO7hj6341C3UxgBpw/+rPZxXWeJVvVekVfsFzjxvJGpnJQV/Yx3iGvaGn
uwdnLXLAgNFs82N/ip9GZNbv12jPFzUvu7WxXG9PXHZ5z9oL2y4s1m95RsVLPATn
zViFxZkGTF4h1rdqix2MNN7/q/hQmY6XsOo1fSlSAYhAMFQ1g43EMecLud3dCECw
ypjVVJO+T29JArCzyJb5skOr2lSdcf9ZYAhnStgHmRUw/bvwDhcMaCjsdqFdaUSD
fIqMdp7gAJ3/fou/AdARERxhR7UNDp7sNJcCpOo/hoHoJ8QSy5b7CBUGG3uemdjH
JBPYtYVilbvif7/EV9AAWwsKO/JX4smqctHrU2ZG/JHt0f4pQ+QxaTkys+jblXdu
83ROK+0DlX9KXcIOSBQ/SWqj/3UoPIgVxXgnf8RKztMuUUdFrPScWYpKFPpoeXPF
5+VNuOdIkoX+MalGusox
=wMXF
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Copyright notices in httpd source files

2016-12-29 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Nick,

On 12/29/16 3:56 AM, Nick Kew wrote:
> Cc: dev list.  Looks like a catch?

(my reply might be bounced from the dev@ list... I don't think I'm
subscribed)

> On Wed, 2016-12-28 at 17:44 -0500, Christopher Schultz wrote:
>> All,
>> 
>> Is it common to have a copyright notice in httpd C source files?
> 
> Not common, but neither is it unusual.  I'd expect it to mean 
> someone else copyrighted it before contributing it to apache.
> 
>> [ mod_proxy_protocol.c ] Copyright 2014 Cloudzilla Inc.
> 
> If that's in our svn, it should probably have another line 
> asserting Apache copyright alongside that one.  As in, for
> instance, mod_proxy_html.

Yep, this is ASF svn. That's why I included the link in my original post
:

https://svn.apache.org/viewvc/httpd/httpd/trunk/modules/filters/mod_prox
y_protocol.c?view=markup&pathrev=1776076

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYZeM4AAoJEBzwKT+lPKRYpN4P/30FjhTLL1iMSVRETFzQkBsC
T+7e8+0NejwaqSoAqWpX/VbIawgyGFtsqgFjqOzGkp8Oy3FSnWpCFfG3IVR/4DCW
dEe+/LWU5f+B0T1dJyDL2DOCxnHQPiyPc3AYGF+NUtIvKEys8m7zO8hTQ0Dz5TFB
k4GFt69aP+MJnKAQAx8T1Gilwbu5vUZWmxu80rbl85FixYiW3iTSPHzApQ53ZSdx
mUUHYoV9wv0fwm1+Udj6SHQRkVDBmzwddeTdqEa9mukdf6zc+8R4pcx8K0YLxuMP
iduKLbXCxpy2oi28UpqqD8/5JD9adNBc3aYUpm0b/7ceJpr05wkFtZfh7OerULwr
nYqxaZtogrdMPzV3fgOvz2S136uqDd0qSFOyvV7Qy8i/87Yr+kkk1GDaVcenhM1m
z6+0iV9ftm5F4QbivheaKsJJEut4urfiVBnUha1l+BveWO+IOR047U/gdP7gfvcP
RrCqaYLSclCP0UtlBAa0RWlZSsa4HS3/m+YyJ/dm4pDbjY6kyWAkA8w4+GOJhQLf
MJ//TKbZ9LGNo4ueye+pRN1H4OFuJqTI1c4LdOsXqOW62IhATUIU8/DNCxKrlkTL
pGp2C+5qUDQGj/yotEdyI9oDshm3ZDgPAplMQcl2itVyKgKYVrjmHfgLectRNAKf
m+W8ul5tp4Dp0N0vJSU1
=Uymx
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Copyright notices in httpd source files

2016-12-29 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Jim,

On 12/29/16 9:38 AM, Jim Jagielski wrote:
> I didn't know you guys were working on it. Cool. I had been working
> the donation angle for awhile and finally got approval so wanted to
> get it in quick! :)

Daniel's efforts were focused on a patch to mod_remoteip which IMO
seems more natural (though I'm largely ignorant of how anything
"should" be done within httpd, so take my opinion with zero gravity of
course) rather than a separate module.

I'll join the dev@ list where we could probably continue this
discussion with a better audience.

Thanks,
- -chris

>> On Dec 29, 2016, at 3:56 AM, Nick Kew  wrote:
>> 
>> Cc: dev list.  Looks like a catch?
>> 
>> On Wed, 2016-12-28 at 17:44 -0500, Christopher Schultz wrote:
>>> All,
>>> 
>>> Is it common to have a copyright notice in httpd C source
>>> files?
>> 
>> Not common, but neither is it unusual.  I'd expect it to mean 
>> someone else copyrighted it before contributing it to apache.
>> 
>>> [ mod_proxy_protocol.c ] Copyright 2014 Cloudzilla Inc.
>> 
>> If that's in our svn, it should probably have another line 
>> asserting Apache copyright alongside that one.  As in, for
>> instance, mod_proxy_html.
>> 
>> -- Nick Kew
>> 
> 
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYZeQGAAoJEBzwKT+lPKRY90QP/jnoTj/LlmUV0YveVpyX13jZ
ysxx1HJarxMM6ePOVh/6KCkgwWYGe6SH0MyFrxUwrmH4BkZkXors3u/TJZFfWR9P
kru1Z9c+9doPWGPAXZZz/cQrHU6dvDFp8LIs4uPXlb+p2DrsHizGZnZxta9ckqa/
lTdHgUbcpVP1e8YV2S8bBi5SuV3tmf97IN5GV7wi/G9EtQlcFWQ7NH+dYDs62TlU
emr9Xo2hAGfVhaYKZ9wHcLgjuVXRhHnl1UM7YpiReSvsNwpX+a+kLEf7B3iYdE1t
fk80HCWHmmcOe21nOIyU/OsyUVyVd2be64aH6gzrnh5yxIayb3ZSB8+eyk1O+aoR
LA8fVAJgiDonj7JS/d7DSHkImIK5PIvD6voDMCQ2Rf0DSf6DlFGKC96yKUbIUC5O
5MGym7n+j6WxaiUHReBZaAeW/gcwnzr7xqe+PRXBmBQmlJrVPmdpM6nNjyxOn6Bn
ylw9pmO99lC+qUO01rY/duHhMrQY+SDnCxyGx1xdAYK7ASSAw7gtUU3Zfvoe27zo
XT33d8XsBTXsMFDeOBLz9Nws2qnHQQ4BOSV8+s7sio1IVeV2F32T9RPEIu7J/TCN
WZsWBy7NS2BvGVjezgOGMhVZnl81Y+HsPrU7ZCKmIKEpkJGMWnopmtUhMrs9X7Yv
+bo4j01/FrMGpNna4RCI
=RuJT
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Configuring redirects httpd behind a TLS-terminating proxy

2017-01-23 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

All,

I've got an EC2 instance behind a load balancer where TLS is being
terminated. I've arranged for two separate httpd (2.4.25)
VirtualHosts: one for the secure connections (proxied from the lb) and
another for the non-secure connections.

I have a Redirect directive that isn't behaving as I'd like it to behave
:

RedirectMatch permanent ^/$/site/

I have the same redirect in both VirtualHosts. The redirect itself
works, but it doesn't preserve the secure-protocol when I'm using the
secure VirtualHost.

I have this directives to attempt to set the HTTPS environment variable:

# Handle ELB requests; maintain client information
SetEnvIf X-Forwarded-Proto "https" HTTPS=On
SetEnvIf X-Forwarded-Port "(.*)" JK_LOCAL_PORT=$1

I can confirm that ELB is in fact sending the "X-Forwarded-Proto:
https" header to my httpd instance.

I can also see that the HTTPS environment variable is in fact being
set to "On" when I make a request.

I'm expecting httpd to redirect a request from
"https://www.example.com/"; to "https://www.example.com/site/"; but
instead I'm getting redirected to "http://www.example.com/site/";.

Can anyone see anything wrong with my configuration? Or do I have a
misunderstanding of how RedirectMatch will built its relative URLs?
I'd expect the redirects to be protocol-relative, but even though
HTTPS=On, the request from the LB is actually using HTTP and not
HTTPS. Am I not able to override the protocol by setting the HTTPS
environment variable?

Do I have to build an absolute redirect using other environment variable
s?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYhn6RAAoJEBzwKT+lPKRYPGgQAJxY2qq2wAxhzV21iQJFz/qz
vviFasPk17/ezD7ZGM1yHuxOrTrZRglvIRUXrRB3MWBX55fX11NsryxfKNigxOpw
TXtmJQNAScvXZfGdSVkVNcSNHN6FWKE+QRNhtPNhVoyxWP1fUdc00bzFCX3PDvoo
+8ASJJDV+0Qy5O0IlVv4B1uBnfzhVaxBgi2UYzGF8jyrbgUXHUA9R14FtXN6DNqw
Q4UKBXD6W5wS1zPYep9oHs0aqQIycvAXTFB20dwfaZ/Qft/wED2ACNOg60hRtQ3x
tP57zjEQqxzHKPHsTYaM4k6so69lIL9uoNUBgN1Q/Eqyl+ufF13y2EasjL4Y2Svz
qUFzyP85xFHTxnR8QvAYvmL4jqrf2ynZWnKHLDoVs1y9BOb0Iv4/8EWqcaIOG4QF
MlUxoSY32Z/BA3oxkE3pTzzqeyjZTY3ITMtdNDFMWFoDa3iTDBFNjfcUOYJSuaZx
7Q9A7NYtMpTFvTxVpQmz+PFkVpDqmF/xxHO/B9LaPcjTCWqqYU+m5/GTugW/pcoH
LVKfiPEbAYkjmOIR/+BE2x2YU4PglTIrzKfB2MlyHq/3qU3/SNvL+qM0xs6V1tdN
OtLx83lrEKecuqiH3A6zGPpcKqzdCGCMJxbg/jq5QJXMLs3/sSYyo15EjUEQYfjZ
Wn+RdQYSpwcWQ8eoLQVF
=mJ4i
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Configuring redirects httpd behind a TLS-terminating proxy

2017-02-01 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Konstantin,

On 1/24/17 3:53 AM, Konstantin Kolinko wrote:
> 2017-01-24 1:07 GMT+03:00 Christopher Schultz
> :
>> 
>> I've got an EC2 instance behind a load balancer where TLS is
>> being terminated. I've arranged for two separate httpd (2.4.25) 
>> VirtualHosts: one for the secure connections (proxied from the
>> lb) and another for the non-secure connections.
>> 
>> I have a Redirect directive that isn't behaving as I'd like it to
>> behave :
>> 
>> RedirectMatch permanent ^/$/site/
>> 
>> I have the same redirect in both VirtualHosts. The redirect
>> itself works, but it doesn't preserve the secure-protocol when
>> I'm using the secure VirtualHost.
>> 
> []
>> 
>> I'm expecting httpd to redirect a request from 
>> "https://www.example.com/"; to "https://www.example.com/site/";
>> but instead I'm getting redirected to
>> "http://www.example.com/site/";.
>> 
>> Can anyone see anything wrong with my configuration? Or do I have
>> a misunderstanding of how RedirectMatch will built its relative
>> URLs?
> 
> If that VirtualHost is accessed only by your lb, you should look
> at ServerName directive. It can include a scheme.

Interesting. It looks like that's exactly what I'm looking for. I just
did a quick test and it looks like that will solve my problem quite well
.

Alexandru, I was hoping to avoid using mod_proxy unless necessary, but
thanks for the suggestion.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYkjYSAAoJEBzwKT+lPKRYIpMQAIO1fUAIzXoniBecYhJ7CWGl
ZOaE3gsi9UPxtitDpoQU+BXrzDugcvmXNpIxUveQsQ4ZaqUOiot0QUXn80tne757
MwWx020G+Th6iFnaB4P7weSbJM1hRwXmXbUmA0vLXlScf8f9KdC0LqGYHqspOtCv
xdWrC3x66g/qLhxRmeseCU0tCjsrnben7CGwtzESsmqkB1XSAXSLID2hs/auakot
47+2J+tomGmP+HvGJ1yw5ClArGbmXF/geG3DH8QVEkviX3hX0nIVltoCYpAQtnYX
U8m6jhbtoqFk21qoSKcYVTY9Zk8Olb01hPs2KW7KCERHw4+7c0zhMu2FQ1RurHBC
2sDEe/OklHoeP9BExtxYGEqZcOHLpsOcoofM4wZGhTX+Wu41/HdJJDVKojz9E0C4
83S5IVmoIRBxr5QcfoW65To5WdYzRC0mlZN8Vae87M1kjfJAMQ2caN6brSLkDy7B
VRdX1GVS5a+sczyG0ska/zgflMV0mOyTtQHp3+tXy/HU18IoovUN4oxcuORtif1J
knmRVqjEDUcxh4TvuhjouHpsNg5DivaSFgwf43l2mwQPqldmmtKBoRMNVZjrBnhQ
d9zpEwMPwpkdUcHsgVWZe466u7dK+b5bQN336LJAtRFrb6KhVfrILoO1K2bvGb7L
eo4o+u7iJvNmgeN56l32
=7E9Q
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] apache 2.4.10 sslv3 not offering when tls is enabled

2017-02-09 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Daniel,

On 2/9/17 4:53 PM, Daniel wrote:
> Try manually:
> 
> SSLProtocol SSLv3 TLSv1 TLSv1.1 TLSv1.2

And, please, for the love of god, add these, too:

SSLHonorServerOrder On
SSLCipherSuite TLSv1.2:TLSv1.1:TLSv1:SSLv3

This will cause "better" ciphers to be preferred over the lesser ones.
Don't forget to eliminate the insecure ones like EXPORT, MD5, DES,
RC4, etc.

A typical cipher string I might use looks like this:

SSLCipherSuite
!aNULL:!eNULL:!EXPORT:!DSS:!DES:!SSLv2:!RC4:ECDHE:ECDH:DHE:AES256-GCM-SH
A384:AES128-GCM-SHA256:HIGH

- -chris

> 2017-02-09 17:30 GMT+01:00 Sven Crul  >:
> 
> Hi,
> 
> 
> I switch to debian with apache 2.4.10 where I need sslv3 for 
> backwards compatibility with some OLD clients
> 
> I use openssl 1.0.1t (latest stable for debian)
> 
> 
> with the settings  "sslprotocol all" in  ssl.conf sslv3 is not
> offered
> 
> with the setting "sslprotocol sslv3" in ssl.conf it works but 
> unfortunately without tls (I need TLS also)
> 
> 
> I must be the only one who has this problem because can't find 
> anything about it anywhere, and I tried about anything there is
> 
> 
> sslprotocol all +sslv3 ... etc nothing works
> 
> 
> Anybody has an idea
> 
> 
> THX!
> 
> Sven
> 
> 
> 
> 
> 
> 
> -- *Daniel Ferradal* IT Specialist
> 
> emaildferradal at gmail.com  linkedin
> es.linkedin.com/in/danielferradal 
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYnOoCAAoJEBzwKT+lPKRYgnkP/jHquyBGVH2uYKcF6Pzyn7Uw
LduZ+8eVqnSC5OsI7s6HBZrqxJthIb2c5Ns+w/rR8ga4o86bzWd+Shr+lwI41UXJ
gEjJDUyQYN5/1YMwlc+w/MFyqgWIaJTdJEhC1kgBMzQzNt53og13tMT7z93rvMsE
NZC1Gb0ANYx68d4/QC/J1Qoh3H0PkqLniHuV6GOuM7zeu9i5IcLQDW4WX7yXcG63
2VsTKwcPdQ1uH3t3i5c3+bbtvWsfMn0bj5Z8SaYInpLWX1swIBLh9b2+dzD5+A2Q
wLgSdIqgZhbkSyqFvq8oqXiaKQ6oxXVXfEJ6bivTkQNbyflR64eqqWXSRsc/RxfK
GJnalLogEM3iP2L7BUAE7Ok3r8xP4Drxy8JaVSLYNm+0BboSP80MZ0YPiIKcniZF
lkyQwyqOWX+OO1Eo0Z6SOTRoRMbymIPvgV+34aVp4admwNtfUN/2F+dPn+7xExHW
Y5oA7j9qBEYXJg63AHY3R//tGm/rtnDlHPt8bxCw5tWrR6HFgoqabyR5MhSYpfED
g8ReWrkd+Ygr10++hw2wwHf9Qwq9jHa2WYhGQyT5HiTIm+ui1X5gD19p9rpyCfcn
ARZ+NgoBHjFGNg0gLu1m3mwDDElnr9/kQE+KRdoVnICm18i3vO4CXzZLUC3moPRR
43zsMR858V8ZOZThX0s7
=/YOD
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] proxypass does'nt seem to work on apache 2.4.25

2017-02-17 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Stéphane,

On 2/17/17 11:06 AM, Stéphane Laurencelle wrote:
> i try to implment the proxypass and proxypassreverse in apache 2.4
> vhost file on oel 6.8 to redirect does to tomcat apps web page but
> nothing seem to work like in apache 2.2.x
> 
> is there some new stuff i need to configure to make it works !
> 
> hope you can help me on this !

Please post your configuration. Just the ProxyPass/ProxyPassReverse
lines and the related VirtualHost wrapper will be sufficient from
httpd.conf. From Tomcat, please post your  configuration
(minus any secrets).

Also, please post the URL you are using to hit the proxy server (httpd).

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYp1WsAAoJEBzwKT+lPKRYx1wP/1Ht4Kz4BMKKedONEyCRefrQ
rz+tQMBWoM4zIaWFVFzCefwTHfppX47jPcgq7IZYq9TIfWrwQRW6BGjCxZw9LSdJ
43qLuUstvwz8qZgDzzAC+AaL3L5cHdRVOMhRmpInS5uFK04AdhbeVRyO7iIjkITw
cAkGDNgFyr8WWJpX6glD2igJrZADOrNS0xQG9LP4d0iUMM0uxUHLAVNiir6HGuDG
htplms/wNHOlMgZ/DzyGBKF6aWHsBe1r9T2KC5VFGsLFphJEJfVUUqFGloJVENyt
QiG9Np+FcBK3CrL5EBZZbger2vAx5ODs6i3ug8sI4Lfxat1aMkHY1DfYOQd4rqZJ
TY7yO8TuCkM/ZjCfN1O8n5oIRAa0ThP7jkmwgF3dPsfCu8qpNRymDFJi0/Vq5LaR
IMhyOoYEabgrknFg9ohFBlqKDvGZsjDtCXexe9y/VEF7Gh+e4SdQ30sbihXZ+lub
dw4BVcO7aezsF6TS5t5ARb34IMVsfp6U/giTllczKn42aKB9qdEC1FmhHKaOJ5r2
MqNZlzYzNzAIuXZ0cCom/GJL4Lzeskql+cLGrSjt7yNxn9YMfHYJYXaVm17EdfBH
Un2neVTc8u5786+mm8u9SGRWRojiuNnt4hzL9RwycJa7AGwvx7nfJcC3neHTYvvZ
iu2V/ivMNpBks8sozJk9
=Tarw
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Processes starts

2017-02-17 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hement,

On 2/15/17 6:05 AM, Hemant Chaudhary wrote:
> When I am stating my httpd-2.4.23 servers, sometime 6 process id's
> or sometimes 7 process id's are generated. Can I edit how many
> process id's I want to start.

Yes.

> I am assuming 1 process id is of root and remaining 5 of its
> thread. Please help to know why this is happening and where it is
> stated how much to open?

Which MPM are you using?

> Second doubt is I want to check process id's in access_log, I am
> editing %P for process id in format, I am getting correct value. I
> want to use %{format}P.
> 
> I tried with this but this is not working, please helpp how to get
> pid,tid,hextid using %{format}P.

What exactly did you try? I would have guessed:

LogFormat "... $P,%{tid}P,%{hextid}P ..." my_format

Remember to apply your LogFormat to the type of logger you want e.g.

CustomLog "access_log" my_format

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYp1daAAoJEBzwKT+lPKRYuJsQAMDX852vDqIV9hFl8UKI82gy
I8O1ks/sdZiR7+gVlhzFR9elCx67Hi472XYSvlnRUs+uSRGCvBXzpUzG5liBzqO9
tdtRd/ayBqTc2pK7sH1Xsn8YcwZ1wGz3aM/VDa6ahWyqYpo6+AIOAC82e7dXqNuJ
aYm8z5yQiCkxwoR1oqHfUX3Vn+w2cdgf3N0P8J2jtIWPO8Gy/Yn6/CYHQhnR0P61
yKsq/4Z1ycb3UQDziJv48z1yZ8C41goZ8GtJlSDHlYh4MACswk39DfxVTVV7MYE8
7Y/NVzKPUMDaDC9VWgocyfVXqJ1m9Ogff/1seKpblcyla96sjymfEn+jH4bH+PuX
jj9kZsSExIH6SFc4evmYTQZ1Oy1aSaWVD9LmU8aSICu+7LFji7JH9eRMmsfBLzMC
xxEQln2nY9dIYp09O6j4ox6r4qKmCXNRczVnB3mTbvUb2cM3k9Y4CAhirjWyq3Vn
1K4BIwZ04Lt8Wuw8bqp+5eJXl+QHno/IvVEf6Tc+9yFLrLv7KfnB4SndDhiNAyZc
FJKIFf2stOos+m6LAOjUri4G5ePLsuJYHlyiRUZA08hNitwhRDw1VBOlBg7tpHn9
AmhXD4aH0XibN8S5y+LJiRF1LGUiiEak25BHPAxAbza71ZAuF39sdG35qrpZ5NRW
D0nxcpKYCUaDze903UY1
=rcuy
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] DH parameter selection on httpd 2.2

2017-03-30 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

All,

I'm running httpd 2.2.31 on Amazon Linux, and the docs for
SSLCertificateFile say:

"
Beginning with version 2.2.30, mod_ssl makes use of standardized DH
parameters with prime lengths of 2048, 3072, 4096, 6144 and 8192 bits
(from RFC 3526), and hands them out to clients based on the length of
the certificate's RSA/DSA key.
"

I have a 4096-bit RSA key and yet I'm not getting a 100% on SSL Labs'
SSL testing tool. That suggests that the DH parameter strength is less
than what I was expecting: 4096-bit (or equivalent).

How does httpd determine which DH primes to use based upon the RSA
key? The server's key is 4096-bit, but the issuer's key (in the chain)
is 2048-bit. Is that the reason SSL Test is not giving me full marks?

I'm trying to create a 4096-bit parameters file (to attach to the RSA
key chain), but it's taking a while so I figured I'd ask in the meantime
.

Thanks!

- -chris

PS I'll see some of you in Miami!
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJY3WteAAoJEBzwKT+lPKRYn7oP/izQu232bxrNNvtjtrYT/u7B
fRgWALYU1S+Subp8gv809DB5nzcYyk5wjc+O8dqBzNFUjONfkAHKRrkTTaWQeqL2
u6bungrbmKmn1H/j547ZLDTI0CjE1ZeFyr/8NBGmJSf9MdVpCjaDZeptelnX63+z
Hd/jIdV3NV49KrWw0Pb7tuLH/SzoJ6y8M+tPJW7i4PO3e4lrPUDI8BTtB+8EUD+Y
exbFAXu/V8fzm/hLvR3cm/G85GkhwSIn91rTrBM10bHtIx6x+tCShC5lhXyWUSxV
rRZ7KsDAy6t2RO5PNyAUMvPq3h3y79AWsGAsATgiOpZH5P+4ChU4J/7JMV2XN2/6
aK7dM3VZXwYVmE4auRZPhA/D2YY9OOLDXPv7dsRcOM5Rehe29FgzVuFGIDFgEbS0
p88MB5pZwxllkCeIgEd+hIP42lp3/Gbz0kaJh/lZCiBuIHUovKO12llszhOnczBk
WMPLzWkewzQB4iEFbyldemNpHQvtK/jyigVNwUjVLfl7w+Fs2l4h0A1CFCYxZ9nh
s9EG53gHUwvz3+PQKr2nJkOev44SQiZAY77FLgTn9QoG7jPTU460BXO2IxG/qbSA
EkK4nvBFRWFSMQwu2RLzjlTKidFR7LDaBbIJ1Lk1cmEd7vnUQiFL1o3/Fg7SBgin
BpP3j8DlPtdHDI9BB+sy
=13zU
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] DH^H^H EC parameter selection on httpd 2.2

2017-03-31 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

All,

On 3/30/17 4:32 PM, Christopher Schultz wrote:
> All,
> 
> I'm running httpd 2.2.31 on Amazon Linux, and the docs for 
> SSLCertificateFile say:
> 
> " Beginning with version 2.2.30, mod_ssl makes use of standardized
> DH parameters with prime lengths of 2048, 3072, 4096, 6144 and 8192
> bits (from RFC 3526), and hands them out to clients based on the
> length of the certificate's RSA/DSA key. "
> 
> I have a 4096-bit RSA key and yet I'm not getting a 100% on SSL
> Labs' SSL testing tool. That suggests that the DH parameter
> strength is less than what I was expecting: 4096-bit (or
> equivalent).
> 
> How does httpd determine which DH primes to use based upon the RSA 
> key? The server's key is 4096-bit, but the issuer's key (in the
> chain) is 2048-bit. Is that the reason SSL Test is not giving me
> full marks?
> 
> I'm trying to create a 4096-bit parameters file (to attach to the
> RSA key chain), but it's taking a while so I figured I'd ask in the
> meantime .

I added my 4096-bit DH parameters to the end of my cert file, like this:

- -BEGIN CERTIFICATE-
[my RSA certificate]
- -END CERTIFICATE-
- -BEGIN DH PARAMETERS-
[my DH parameters data]
- -END DH PARAMETERS-

and restarted httpd.

When running SSL Labs' test, it tells me the following:

cipher / key-exch / strength / forward-security
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH secp256r1 (eq.
3072 bits RSA)   FS
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH secp256r1 (eq.
3072 bits RSA)   FS
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 4096 bits   FS
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)   DH 4096 bits   FS

So it looks like the DH parameters are okay, but the EC RSA-bit-equiv
is only 3072.

Does this mean that I'd need to create an ecparam file to raise that
RSA-bit-equiv even higher?

Thanks,
- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJY3m0pAAoJEBzwKT+lPKRY+yEP/RoJD/UK7DtWRsklRqf7dnkK
b1ISfV7+tbJokQ+i+gnBHeU+IXA70DLU0y5bjd82zEXfBJ4rwk0yhDXr2110PVjE
reZz8C37NfXXCNXWJiSAfOOyEYJBzXQ8/hsrcbRTcDnetWvsXwZ09OIn7q/IDRvP
94W5LjtZM9FW0Obtcgrn2P/nQSPKIJlHAdZFgwVZkart1snRwAklQQ2kwX29Knyt
h/ZZ1i5B31euZRrQsbTIYKkpCrfALi1eRQvmgGuW+Myjlj3M+Cr7Hw9uR73qKCAW
4cNrue+8DmYSDHwjAHbfcxqcEEJvgkfgBU3SuRdWrud/zwWlYhI2HxfGwoONK4Vo
wGljRAcen3X8jebnkXj3v4QhToGmESFU2vBnxXpmDjo0pxMhSk2OzAYXdSTBtLL9
BjlrObQM5WAvyX0PjBAji+fD1Iz690jCbGJWqHfOeNIAlkDbVtjZE8fiNK0k57K8
dSjzLWDjDOAgC/rPc5SeFCAewcqcBDVAObfITKrm77c2hqHH6jOjWdNiZj/2Xg5d
6FUTC6VLlk/VULf8xK0WL27RaqwvOcExbrnbed4oLB+wmIw1uD47LFFAz9dmL+J4
RppIcIBcnXPvuaeXbZ227gkO/2ShSgPzH1oZm09UORMdbZw+Xwm8Gks/PcHQujMD
UG8+nS4yiXV0VLkqMs2e
=NUwP
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Logs analyse

2013-07-26 Thread Christopher Schultz 
Vitthal,

On Jul 26, 2013, at 7:18,  wrote:

> Can anyone tell me the name of apache logs analyzer tool which is free and 
> easily available.

You could use Webalizer or its more currently-maintained fork, awffull.

-chris

[users@httpd] and Satisfy in for mod_dav

2013-09-16 Thread Christopher Schultz 
All,

I'm having trouble getting  and Satisfy to work within a .

I'm using Apache httpd 2.2.22 on Debian Wheezy.

Now, "Satisfy" is not documented to work under  elements, but
also  is not documented to work under , and seems to
work without a problem. I was wondering if it's just an accident that
 works under , but that Satisfy can't, or the
documentation is inaccurate, or if I simply can't do what I want to do.

I am trying to protect a part of my filesystem that is accessible via
WebDAV. I'm using mod_dav along with mod_auth_ldap and I'd like to be
able to do this:


  
Satisfy Any
Require ldap-group cn=some-read-only-group
Require ldap-group cn=some-read-only-other-group
  
  
Satisfy Any
Require ldap-group cn=some-read-write-group
  



The closest thing I'm able to get working is this:


  
Require ldap-group cn=some-read-only-group
  
 
Require ldap-group cn=some-read-write-group
  


It looks like I have to use  instead of  because
 does not protect directories being handled by mod_dav. Can
someone confirm that?

Whenever I use "Satisfy Any" anywhere, it appears to apply to a
much-wider set of files than is specified in  or .

Is there a way to do complicated permissions along with WebDAV?

I'd appreciate any suggestions anyone might have.

While I'm at it, I'd like to know whether path-ordering in httpd.conf
will have any bearing on how the permissions are applied. Ideally, I'd
like to be able to set permissions on a top-level directory, then
override those permissions on a sub-directory -- not necessarily either
widening or narrowing the permissions... I might want to do a little of
both.

-chris



signature.asc
Description: OpenPGP digital signature

[users@httpd] High CPU Usage in Amazon EC2

2014-04-03 Thread Christopher Schultz 
All,

I'm having a problem in production I've never seem before. We are
running a pair of AWS EC2 m1.micro web servers where only one of them in
really in service at any given time. The httpd instance serves some
static content and forwards a great deal of traffic via stunnel to a
single back-end Tomcat server using mod_jk 1.2.37. We have been running
under this configuration for several years with no problems.

Last weekend, we upgraded our OS to Amazon Linux 2014.03 (32-bit) from
Amazon's previous version (I can't remember which one), including the
package-refresh that comes with it for httpd. The current kernel version
is 3.10.34. The current httpd version is 2.2.26. The package name is
"httpd-2.2.26-1.1.amzn1.i686" if anyone is interested. We are using a
prefork MPM with the following (default) settings:

StartServers   8
MinSpareServers5
MaxSpareServers   20
ServerLimit  256
MaxClients   256
MaxRequestsPerChild  4000

What I can observe is that the CPU load average is rising from the usual
sub-2.0 value to sometimes as high as 70. That's seventy, not
seven-point-oh.

I see no errors in the log, and httpd doesn't seem to be dropping any
requests... just running very very slowly.

It seems to come in waves: the load will go up, and everything will slow
down, and then we'll get a reprieve.

I can see 22 server processes running right this moment, but the load
average has dropped back to 0.05.

I've enabled ExtendedStatus and it really doesn't look like there is a
huge number of requests being served. Less than 1 req/sec. This is *not*
a high-load server. I can see some of the httpd child processes using
20% or more of the CPU as reported by 'top'.

Is there a good way for me to determine what those processes are doing?
As this is a modestly-used server, I can probably enable additional
logging without too much trouble.

Any help anyone can provide would be very much appreciated.

Thanks,
-chris



signature.asc
Description: OpenPGP digital signature

Re: [users@httpd] High CPU Usage in Amazon EC2

2014-04-03 Thread Christopher Schultz 
All,

I forgot to mention that most of our traffic is over SSL. OpenSSL
version is OpenSSL 1.0.1e-fips 11 Feb 2013.

Thanks,
-chris

On 4/3/14, 10:04 AM, Christopher Schultz wrote:
> All,
> 
> I'm having a problem in production I've never seem before. We are
> running a pair of AWS EC2 m1.micro web servers where only one of them in
> really in service at any given time. The httpd instance serves some
> static content and forwards a great deal of traffic via stunnel to a
> single back-end Tomcat server using mod_jk 1.2.37. We have been running
> under this configuration for several years with no problems.
> 
> Last weekend, we upgraded our OS to Amazon Linux 2014.03 (32-bit) from
> Amazon's previous version (I can't remember which one), including the
> package-refresh that comes with it for httpd. The current kernel version
> is 3.10.34. The current httpd version is 2.2.26. The package name is
> "httpd-2.2.26-1.1.amzn1.i686" if anyone is interested. We are using a
> prefork MPM with the following (default) settings:
> 
> StartServers   8
> MinSpareServers5
> MaxSpareServers   20
> ServerLimit  256
> MaxClients   256
> MaxRequestsPerChild  4000
> 
> What I can observe is that the CPU load average is rising from the usual
> sub-2.0 value to sometimes as high as 70. That's seventy, not
> seven-point-oh.
> 
> I see no errors in the log, and httpd doesn't seem to be dropping any
> requests... just running very very slowly.
> 
> It seems to come in waves: the load will go up, and everything will slow
> down, and then we'll get a reprieve.
> 
> I can see 22 server processes running right this moment, but the load
> average has dropped back to 0.05.
> 
> I've enabled ExtendedStatus and it really doesn't look like there is a
> huge number of requests being served. Less than 1 req/sec. This is *not*
> a high-load server. I can see some of the httpd child processes using
> 20% or more of the CPU as reported by 'top'.
> 
> Is there a good way for me to determine what those processes are doing?
> As this is a modestly-used server, I can probably enable additional
> logging without too much trouble.
> 
> Any help anyone can provide would be very much appreciated.
> 
> Thanks,
> -chris
> 



signature.asc
Description: OpenPGP digital signature

Re: [users@httpd] High CPU Usage in Amazon EC2

2014-04-03 Thread Christopher Schultz 
Oscar,

On 4/3/14, 10:33 AM, Oscar Knorn wrote:
> Sounds like apache is waiting for a response or a means to forward the
> request via stunnel.
> Is /dev/random or /dev/urandom providing sufficient random to the process?

I'm not sure how to check that. Any ideas?

In either case above, wouldn't the processes be sitting idle waiting for
blocking IO to return? I'm not surprised that the bytes are moving
slowly, actually. I'm surprised that I'm pegging my CPU waiting for
bytes to move...

Thanks,
-chris

> On 4/3/14, 40:23 PM, Christopher Schultz wrote:
>> All,
>>
>> I forgot to mention that most of our traffic is over SSL. OpenSSL
>> version is OpenSSL 1.0.1e-fips 11 Feb 2013.
>>
>> Thanks,
>> -chris
>>
>> On 4/3/14, 10:04 AM, Christopher Schultz wrote:
>>> All,
>>>
>>> I'm having a problem in production I've never seem before. We are
>>> running a pair of AWS EC2 m1.micro web servers where only one of them in
>>> really in service at any given time. The httpd instance serves some
>>> static content and forwards a great deal of traffic via stunnel to a
>>> single back-end Tomcat server using mod_jk 1.2.37. We have been running
>>> under this configuration for several years with no problems.
>>>
>>> Last weekend, we upgraded our OS to Amazon Linux 2014.03 (32-bit) from
>>> Amazon's previous version (I can't remember which one), including the
>>> package-refresh that comes with it for httpd. The current kernel version
>>> is 3.10.34. The current httpd version is 2.2.26. The package name is
>>> "httpd-2.2.26-1.1.amzn1.i686" if anyone is interested. We are using a
>>> prefork MPM with the following (default) settings:
>>>
>>> StartServers   8
>>> MinSpareServers5
>>> MaxSpareServers   20
>>> ServerLimit  256
>>> MaxClients   256
>>> MaxRequestsPerChild  4000
>>>
>>> What I can observe is that the CPU load average is rising from the usual
>>> sub-2.0 value to sometimes as high as 70. That's seventy, not
>>> seven-point-oh.
>>>
>>> I see no errors in the log, and httpd doesn't seem to be dropping any
>>> requests... just running very very slowly.
>>>
>>> It seems to come in waves: the load will go up, and everything will slow
>>> down, and then we'll get a reprieve.
>>>
>>> I can see 22 server processes running right this moment, but the load
>>> average has dropped back to 0.05.
>>>
>>> I've enabled ExtendedStatus and it really doesn't look like there is a
>>> huge number of requests being served. Less than 1 req/sec. This is *not*
>>> a high-load server. I can see some of the httpd child processes using
>>> 20% or more of the CPU as reported by 'top'.
>>>
>>> Is there a good way for me to determine what those processes are doing?
>>> As this is a modestly-used server, I can probably enable additional
>>> logging without too much trouble.
>>>
>>> Any help anyone can provide would be very much appreciated.
>>>
>>> Thanks,
>>> -chris
>>>
>>
> 
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 



signature.asc
Description: OpenPGP digital signature

Re: [users@httpd] High CPU Usage in Amazon EC2

2014-04-03 Thread Christopher Schultz 
All,

This is the current status map on me server:

Total accesses: 14118 - Total Traffic: 3.9 GB
CPU Usage: u404.04 s9.82 cu0 cs0 - .956% CPU load
.326 requests/sec - 94.4 kB/second - 289.5 kB/request
6 requests currently being processed, 15 idle workers

.__..._.._.R_R_.._...__.._._R_.R...R..W_..__




top reports CPU load average "4.71, 10.49, 10.43" so things are settling
down a bit right now. Here's what top shows for the httpd processes (at
the top of the report, so these are the highest-CPU processes this
particular moment):

  PID USER  PR  NI  VIRT  RES  SHR S %CPU %MEMTIME+  COMMAND

23225 apache20   0 27772 6860 2444 R  8.6  1.1   0:02.94 httpd

23337 apache20   0 27764 6724 2324 R  6.3  1.1   0:00.80 httpd

23224 apache20   0 27820 7112 2624 R  4.6  1.2   0:03.02 httpd

23023 apache20   0 27824 7204 2692 R  4.3  1.2   0:12.15 httpd

21815 apache20   0 27820 7420 2916 R  4.0  1.2   0:58.10 httpd

22478 apache20   0 27992 8412 3856 R  4.0  1.4   0:28.18 httpd


I wasn't able to copy/paste all of that stuff at exactly the same time,
so the numbers are a bit off from each other.

But the server is simply not handling very much traffic. I don't
understand the spikes in CPU load -- which is what lows everything down.
Even doing something like attaching strace to a running process took
something like 30 seconds before it started actually logging anything to
the terminal.

I checked the status of entropy availability using this command:

$ cat /proc/sys/kernel/random/entropy_avail

I did this a few tens of times and the lowest number I ever got was 133.
On systems that have truly run out of randomness, I have seen this
number drop to zero (it usually happens during OpenSSL server key
generation :).

I'm at a loss for what to check next. Any suggestions?

Thanks,
-chris

On 4/3/14, 10:38 AM, Christopher Schultz wrote:
> Oscar,
> 
> On 4/3/14, 10:33 AM, Oscar Knorn wrote:
>> Sounds like apache is waiting for a response or a means to forward the
>> request via stunnel.
>> Is /dev/random or /dev/urandom providing sufficient random to the process?
> 
> I'm not sure how to check that. Any ideas?
> 
> In either case above, wouldn't the processes be sitting idle waiting for
> blocking IO to return? I'm not surprised that the bytes are moving
> slowly, actually. I'm surprised that I'm pegging my CPU waiting for
> bytes to move...
> 
> Thanks,
> -chris
> 
>> On 4/3/14, 40:23 PM, Christopher Schultz wrote:
>>> All,
>>>
>>> I forgot to mention that most of our traffic is over SSL. OpenSSL
>>> version is OpenSSL 1.0.1e-fips 11 Feb 2013.
>>>
>>> Thanks,
>>> -chris
>>>
>>> On 4/3/14, 10:04 AM, Christopher Schultz wrote:
>>>> All,
>>>>
>>>> I'm having a problem in production I've never seem before. We are
>>>> running a pair of AWS EC2 m1.micro web servers where only one of them in
>>>> really in service at any given time. The httpd instance serves some
>>>> static content and forwards a great deal of traffic via stunnel to a
>>>> single back-end Tomcat server using mod_jk 1.2.37. We have been running
>>>> under this configuration for several years with no problems.
>>>>
>>>> Last weekend, we upgraded our OS to Amazon Linux 2014.03 (32-bit) from
>>>> Amazon's previous version (I can't remember which one), including the
>>>> package-refresh that comes with it for httpd. The current kernel version
>>>> is 3.10.34. The current httpd version is 2.2.26. The package name is
>>>> "httpd-2.2.26-1.1.amzn1.i686" if anyone is interested. We are using a
>>>> prefork MPM with the following (default) settings:
>>>>
>>>> StartServers   8
>>>> MinSpareServers5
>>>> MaxSpareServers   20
>>>> ServerLimit  256
>>>> MaxClients   256
>>>> MaxRequestsPerChild  4000
>>>>
>>>> What I can observe is that the CPU load average is rising from the usual
>>>> sub-2.0 value to sometimes as high as 70. That's seventy, not
>>>> seven-point-oh.
>>>>
>>>> I see no errors in the log, and httpd doesn't seem to be dropping any
>>>> requests... just running very very slowly.
>>>>
>>>> It seems to come in waves: the load will go up, and everything will slow
>>>> down, and then we

Re: [users@httpd] High CPU Usage in Amazon EC2

2014-04-03 Thread Christopher Schultz 
Jason,

On 4/3/14, 11:35 AM, Jason Cillo wrote:
> Have you looked at OpenSSL Cookbook? It's free. I find it very
> useful. (I even bought the larger book of which it is a chapter.)

Did you have something in particular that you thought would be relevant
from that book?

-chris



signature.asc
Description: OpenPGP digital signature

Re: [users@httpd] High CPU Usage in Amazon EC2

2014-04-05 Thread Christopher Schultz 
Igor,

On 4/4/14, 5:39 AM, Igor Cicimov wrote:
> 
> On 04/04/2014 1:05 AM, "Christopher Schultz"
> mailto:ch...@christopherschultz.net>> wrote:
>>
>> All,
>>
>> I'm having a problem in production I've never seem before. We are
>> running a pair of AWS EC2 m1.micro web servers where only one of them in
>> really in service at any given time. The httpd instance serves some
>> static content and forwards a great deal of traffic via stunnel to a
>> single back-end Tomcat server using mod_jk 1.2.37. We have been running
>> under this configuration for several years with no problems.
>>
> Enable the stunnel logs maybe they will reveal something?

I don't think stunnel has changed much. Besides, the stunnel processes
aren't eating up the CPU: it's the httpd processes that are.

>> Last weekend, we upgraded our OS to Amazon Linux 2014.03 (32-bit) from
>> Amazon's previous version (I can't remember which one), including the
>> package-refresh that comes with it for httpd. The current kernel version
>> is 3.10.34. The current httpd version is 2.2.26. The package name is
>> "httpd-2.2.26-1.1.amzn1.i686" if anyone is interested. We are using a
>> prefork MPM with the following (default) settings:
>>
>> StartServers   8
>> MinSpareServers5
>> MaxSpareServers   20
>> ServerLimit  256
>> MaxClients   256
>> MaxRequestsPerChild  4000
>>
>> What I can observe is that the CPU load average is rising from the usual
>> sub-2.0 value to sometimes as high as 70. That's seventy, not
>> seven-point-oh.
>>
>> I see no errors in the log, and httpd doesn't seem to be dropping any
>> requests... just running very very slowly.
>>
> What if you increase the LogLevel to debug? Meaybe jkLogLevel too.

I could certainly do that, but the mod_jk binary is the same as before
the upgrade.

>> It seems to come in waves: the load will go up, and everything will slow
>> down, and then we'll get a reprieve.
>
> Whats the memory usage at those times? If you have sysstat installed you
> can run sar for some stats about disk cpu and memory.

I installed sysstat and am collecting data. Monday morning is when we'll
get killed, and I'll have the data then.

> First thing i would do is move from prefork to mpm worker. You
> should see significant improvement.

While that may be the case, something else must have changed. We had
been using the prefork MPM beforehand without a problem.

We've upgraded to Linux kernel 3.10.35 at the suggestion of the AWS
support folks, but things still look pretty ugly. I've resurrected an
old snapshot to compare the performance relative to the upgraded
instance. If the 3.10.35 instance falls-over on Monday, I'll switch-over
to the older kernel instance.

Thanks,
-chris



signature.asc
Description: OpenPGP digital signature

Re: [users@httpd] High CPU Usage in Amazon EC2

2014-04-08 Thread Christopher Schultz 
Igor,

On 4/5/14, 4:57 PM, Igor Cicimov wrote:
> 
> On 06/04/2014 5:51 AM, "Christopher Schultz"
> mailto:ch...@christopherschultz.net>> wrote:
>>
>> Igor,
>>
>> On 4/4/14, 5:39 AM, Igor Cicimov wrote:
>> >
>> > On 04/04/2014 1:05 AM, "Christopher Schultz"
>> > mailto:ch...@christopherschultz.net>
> <mailto:ch...@christopherschultz.net
> <mailto:ch...@christopherschultz.net>>> wrote:
>> >>
>> >> All,
>> >>
>> >> I'm having a problem in production I've never seem before. We are
>> >> running a pair of AWS EC2 m1.micro web servers where only one of
> them in
>> >> really in service at any given time. The httpd instance serves some
>> >> static content and forwards a great deal of traffic via stunnel to a
>> >> single back-end Tomcat server using mod_jk 1.2.37. We have been running
>> >> under this configuration for several years with no problems.
>> >>
>> > Enable the stunnel logs maybe they will reveal something?
>>
>> I don't think stunnel has changed much. Besides, the stunnel processes
>> aren't eating up the CPU: it's the httpd processes that are.
>>
> Yes but apache actually connects to stunnel and can be affected by it in
> case of any issues it has.
> 
> I would also try to run pstack again some of the pids consuming the cpu
> to find out what are they doing.
> 
> Basically since the kernel got upgraded any of the parts used here might
> be possibly impacted by some new or existing bug.

I have some more data. I have launched two EC2 t1.micro instances based
upon the same old snapshot that I had available. I upgraded 3 packages
on one of them (httpd and two dependencies: mod_ssl and httpd-tools) and
ran a load test using JMeter.

I have these aggregate numbers for the two machines:

Linux kernel 3.2.38 / httpd 2.2.23
Samples: 9942
Average: 715
Median: 347
90% Line: 1500
Min: 159
Max: 47157
Throughput: 35.1 k/sec
KB/sec: 120.4

Linux 3.2.38 / httpd 2.2.26:
Samples: 9941
Average: 1124
Median: 344
90% line: 2687
Min: 159
Max: 117918
Throughput: 35.1
KB/sec: 120.4

Otherwise the configuration is essentially the same: same modules
loaded, etc. The numbers from above represent essentially a trivial
request to my Tomcat backend.

I'm not sure I can chalk-up the above difference to simply network noise
(specifically, average, max, 90% line). What I'm observing here is
certainly not the extent of the problems we are experiencing, but I have
noticed a difference between these two versions as provided by Amazon's
yum repo.

I'll see what happens if I start to update other components as well.

-chris



signature.asc
Description: OpenPGP digital signature

Re: [users@httpd] High CPU Usage in Amazon EC2

2014-04-08 Thread Christopher Schultz 
All,

On 4/8/14, 11:11 AM, Christopher Schultz wrote:
> I'm not sure I can chalk-up the above difference to simply network noise
> (specifically, average, max, 90% line). What I'm observing here is
> certainly not the extent of the problems we are experiencing, but I have
> noticed a difference between these two versions as provided by Amazon's
> yum repo.

I had a flash of inspiration while listening to one of today's talks on TLS.

We recently updated our TLS certificates, and the new server keys are
4096 bits while the older keys were 2048 bits. Of the two servers I
configured for testing, one had the new keys, the other, the old.

Matching the two keys has brought the load test back to a sane comparison.

Now I can resume hunting for the combination of packages and settings
that seems to be the differentiating factor.

-chris



signature.asc
Description: OpenPGP digital signature

Re: [users@httpd] heartbleed and httpd configuration

2014-04-15 Thread Christopher Schultz 
Steven,

On 4/12/14, 2:15 PM, Steven Siebert wrote:
> I think it would be unlikely because the httpd configuration data
> would be read into memory early on the heap (and in a very low
> volatile area where that memory wouldn't often be freed up), whereas
> the heartbeat would be much later in the heap, and thus the buffer
> overflow would very unlikely effect it.
> 
> You might get a more definitive answer CCing the developer
> distro...since this really isn't a simple "configuration and support"
> questionbut they might just ignore the non-dev question.
> 
> If you get the answer off list, please update =)

This is what CloudFire thought, and they dared someone to steal their
key using Heartbleed. 9 hours later...

http://blog.cloudflare.com/the-results-of-the-cloudflare-challenge

Then again, they were using Nginx. But the idea is that everything is
theoretically snoopable via Heartbleed.

-chris



signature.asc
Description: OpenPGP digital signature

[users@httpd] Enabling ECDHE ciphers

2014-04-17 Thread Christopher Schultz 
All,

I'm trying to enable (and prefer!) ECDHE ciphers for clients that can
support them. I've done the obvious:

SSLHonorCipherOrder Yes
SSLProtocol ALL -SSLv2
SSLCipherSuite ECDHE:ECDH:..[other stuff]

I have confirmed that, when running "openssl ciphers [stuff above]" that
I get ECDHE ciphers listed at the top of the list. I'm running OpenSSL
1.0.1g-FIPS so that shouldn't be a problem.

Both my browser and Qualys's SSL tester don't seem to be able to use
those ciphers. Is it because I haven't done run "openssl ecparam"? I
haven't seen this shown as a requirement anywhere for enabling ECDHE (or
ECDH) ciphers anywhere online, though it makes sense that I'd have to do
something like that.

Or is it because I have "SSLProtocols ALL -SSLv2", which prefers SSLv3,
then TLSv1, then TLSv1.1, etc. instead of having them in the opposite
order? I tried "SSLProtocols TLSv1.2 TLSv1.1 TLSv1 SSLv3 -SSLv2" but I
get an error saying that "TLSv1.2 is unrecognized".

I'm running httpd 2.2.23 on Amazon Linux. I read in the comments for
mos_ssl that httpd 2.2.24 is required for "TLSv1.2" to be specified
directly. Is that accurate? I can see in my Qualys test that TLS 1.2 can
be used by some of the "simulated clients", so I suspect that it is in
fact available -- perhaps just not preferred?

Any help would be appreciated.

Thanks,
-chris



signature.asc
Description: OpenPGP digital signature

Re: [users@httpd] Enabling ECDHE ciphers

2014-04-17 Thread Christopher Schultz 
Hanno,

On 4/17/14, 12:29 PM, Hanno Böck wrote:
> On Thu, 17 Apr 2014 12:27:37 -0400
> Christopher Schultz  wrote:
> 
>> I'm trying to enable (and prefer!) ECDHE ciphers for clients that can
>> support them. I've done the obvious:
> [...]
>> I'm running httpd 2.2.23
> 
> That's your problem. Get rid of that old cruft. You'll need apache 2.4
> (for that and for many other improvements regarding ssl encryption).

What is it about httpd 2.4 that enables a particular cipher? I figured
that if OpenSSL supported it, httpd would as well. Is there something
about ECDHE that requires more plumbing on the httpd side?

Thanks,
-chris



signature.asc
Description: OpenPGP digital signature

Re: [users@httpd] Enabling ECDHE ciphers

2014-04-18 Thread Christopher Schultz 
Igor,

On 4/17/14, 8:56 PM, Igor Cicimov wrote:
> 
> On 18/04/2014 2:30 AM, "Hanno Böck"  <mailto:ha...@hboeck.de>> wrote:
>>
>> On Thu, 17 Apr 2014 12:27:37 -0400
>> Christopher Schultz  <mailto:ch...@christopherschultz.net>> wrote:
>>
>> > I'm trying to enable (and prefer!) ECDHE ciphers for clients that can
>> > support them. I've done the obvious:
>> [...]
>> > I'm running httpd 2.2.23
>>
>> That's your problem. Get rid of that old cruft. You'll need apache 2.4
>> (for that and for many other improvements regarding ssl encryption).
>>
> No you don't i have 2.2 with latest openssl-1.0.1g on all my servers and
> TLSv1.2 and ECDHE ciphers are supported.

I checked, and even though I have the OpenSSL 1.0.1g package installed,
it appears that httpd was compiled against OpenSSL 1.0.0. When I look at
the start up log, it says:

[Mon Apr 14 15:49:34 2014] [notice] Apache/2.2.23 (Unix) DAV/2
mod_jk/1.2.37 PHP/5.3.28 mod_ssl/2.2.23 OpenSSL/1.0.0-fips configured --
resuming normal operations

On another test server, I upgraded to the latest 2.2.x httpd I can get
from Amazon, which is 2.2.26. I re-started and still can't seem to use
the ECDHE algorithms.

On that same (second) test server I upgraded to httpd 2.4.9. Here is the
startup log message there:

[Fri Apr 18 15:53:26.330856 2014] [mpm_prefork:notice] [pid 15337]
AH00163: Apache/2.4.9 (Amazon) OpenSSL/1.0.1e-fips PHP/5.5.10
mod_jk/1.2.40 configured -- resuming normal operations

I'm now able to use the ECDHE ciphers.

Everything appears to be dynamically-linked, so I can't understand why
2.2.x reports it's running with OpenSSL 1.0.0 when I clearly have 1.0.1
installed. This is almost certainly an Amazon-Linux-related thing if you
were able to get ECDHE ciphers working on 2.2.x.

I wonder, what does your startup string say about OpenSSL?

The good news is that I really did only have to put it in my ciphers list.

Thanks,
-chris



signature.asc
Description: OpenPGP digital signature

Re: [users@httpd] NameVirtualHost address is not supported

2014-04-18 Thread Christopher Schultz 
Michael,

On 4/18/14, 2:16 PM, Michael Peters wrote:
> I have a few sites I’d like to run on a single server with one IP on
> port 80 and 443. I’ve tried several configuration examples without
> success. I get error messages like this:
> 
>  
> 
> Starting httpd: [Fri Apr 18 09:23:32 2014] [error] VirtualHost
> _default_:443 -- mixing * ports and non-* ports with a NameVirtualHost
> address is not supported, proceeding with undefined results
> 
> [Fri Apr 18 09:23:32 2014] [warn] NameVirtualHost 184.168.190.45:0
>  has no VirtualHosts
> 
>  
> 
> When I put multiple entries into httpd.conf similar to this:
> 
>  
> 
> #
> 
> http://208.109.171.169:80>>
> 
> ServerName sitename-1.com 
> 
> DocumentRoot "/www/html/ sitename-1"
> 
> ServerAdmin webmaster@ sitename-1.com 
> 
> 
> 
> allow from all
> 
> Options +Indexes
> 
> 
> 
> 
> 
> #
> 
> http://208.109.171.169:80>>
> 
> ServerName sitename-2.com 
> 
> DocumentRoot "/www/html/ sitename-2"
> 
> ServerAdmin webmaster@ sitename-2.com 
> 
> 
> 
> allow from all
> 
> Options +Indexes
> 
> 
> 
> 
> 
> #

What does your "NameVirtualHost" directive look like?

-chris



signature.asc
Description: OpenPGP digital signature

Re: [users@httpd] Enabling ECDHE ciphers

2014-04-18 Thread Christopher Schultz 
John,

On 4/18/14, 1:16 PM, John Iliffe wrote:
> Further to my previous post, the log reports:
> 
> [Sun Apr 13 03:20:08.591247 2014] [mpm_event:notice] [pid 11737:tid 
> 140478837470976] AH00489: Apache/2.4.9 (Unix) OpenSSL/1.0.1g configured -- 
> resuming normal operations
> [Sun Apr 13 03:20:08.591283 2014] [core:notice] [pid 11737:tid 
> 140478837470976] AH00094: Command line: '/usr/apache-2.4.9/bin/httpd'
> 
> BUT the libssl in use, and resulting from installing OpenSSL-1.0.1g, is 
> libssl-1.0.0

My setup is a little different:

$ httpd -v
Server version: Apache/2.2.23 (Unix)
Server built:   Oct 21 2012 20:35:47

$ ldd /usr/sbin/httpd
linux-gate.so.1 =>  (0xb7761000)
libm.so.6 => /lib/i686/nosegneg/libm.so.6 (0xb76c3000)
libpcre.so.0 => /lib/libpcre.so.0 (0xb7668000)
libselinux.so.1 => /lib/libselinux.so.1 (0xb7649000)
libaprutil-1.so.0 => /usr/lib/libaprutil-1.so.0 (0xb7625000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0xb75f6000)
libexpat.so.1 => /lib/libexpat.so.1 (0xb75d)
libdb-4.7.so => /lib/libdb-4.7.so (0xb745e000)
libapr-1.so.0 => /usr/lib/libapr-1.so.0 (0xb743)
libpthread.so.0 => /lib/i686/nosegneg/libpthread.so.0 (0xb7415000)
libc.so.6 => /lib/i686/nosegneg/libc.so.6 (0xb726f000)
/lib/ld-linux.so.2 (0xb7762000)
libdl.so.2 => /lib/libdl.so.2 (0xb726a000)
libuuid.so.1 => /lib/libuuid.so.1 (0xb7265000)
libfreebl3.so => /lib/libfreebl3.so (0xb7206000)

$ ldd /usr/lib/libapr-1.so.0
linux-gate.so.1 =>  (0xb779a000)
libuuid.so.1 => /lib/libuuid.so.1 (0xb776)
libcrypt.so.1 => /lib/libcrypt.so.1 (0xb7731000)
libpthread.so.0 => /lib/i686/nosegneg/libpthread.so.0 (0xb7717000)
libc.so.6 => /lib/i686/nosegneg/libc.so.6 (0xb757)
/lib/ld-linux.so.2 (0xb779b000)
libfreebl3.so => /lib/libfreebl3.so (0xb7511000)
libdl.so.2 => /lib/libdl.so.2 (0xb750c000)

$ ldd /usr/lib/httpd/modules/mod_ssl.so
linux-gate.so.1 =>  (0xb76f3000)
libssl.so.10 => /usr/lib/libssl.so.10 (0xb765d000)
libcrypto.so.10 => /lib/libcrypto.so.10 (0xb74a6000)
libc.so.6 => /lib/i686/nosegneg/libc.so.6 (0xb730)
libgssapi_krb5.so.2 => /lib/libgssapi_krb5.so.2 (0xb72c2000)
libkrb5.so.3 => /lib/libkrb5.so.3 (0xb71f3000)
libcom_err.so.2 => /lib/libcom_err.so.2 (0xb71ef000)
libk5crypto.so.3 => /lib/libk5crypto.so.3 (0xb71c4000)
libresolv.so.2 => /lib/libresolv.so.2 (0xb71ad000)
libdl.so.2 => /lib/libdl.so.2 (0xb71a8000)
libz.so.1 => /lib/libz.so.1 (0xb7192000)
/lib/ld-linux.so.2 (0xb76f4000)
libkrb5support.so.0 => /lib/libkrb5support.so.0 (0xb7187000)
libkeyutils.so.1 => /lib/libkeyutils.so.1 (0xb7183000)
libpthread.so.0 => /lib/i686/nosegneg/libpthread.so.0 (0xb7169000)
libselinux.so.1 => /lib/libselinux.so.1 (0xb714a000)

$ ls -l /usr/lib/libssl.so.10
lrwxrwxrwx 1 root root 16 Apr  8 15:38 /usr/lib/libssl.so.10 ->
libssl.so.1.0.1e

$ openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013

$ sudo grep "resuming" /var/log/httpd/error_log
[Fri Apr 18 03:21:02 2014] [notice] Apache/2.2.23 (Unix) DAV/2
mod_jk/1.2.37 PHP/5.3.28 mod_ssl/2.2.23 OpenSSL/1.0.0-fips configured --
resuming normal operations

So httpd is dynamically-linked to OpenSSL 1.0.1e (really 1.0.1g, with a
very important patch ;) and yet it reports OpenSSL 1.0.0 on startup.

I don't get it. Both setups (2.2.26 and 2.4.9) have 1.0.1.e and have an
update available to 1.0.1g (I haven't read the changelogs but I'll bet
the difference is mostly the version-bump since everyone is paranoid
about 1.0.1e, now). I'll see if that changes anything.

-chris



signature.asc
Description: OpenPGP digital signature

Re: [users@httpd] Apache and Upgrading OpenSSL

2014-04-18 Thread Christopher Schultz 
Jeff,

On 4/18/14, 12:23 PM, Cabell, Jeff wrote:
> I'm working on doing some upgrade testing to mitigate the Heartbleed
> issue and some other vulnerabilities.  Part of that is updating
> OpenSSL, but I'm a bit confused about something and am hoping that
> someone can help me.  I've done at least a dozen internet searches
> and can't find the answer.  It's probably simple, but I'd like to
> find out anyway.
> 
> What do I need to do in order to update the version of OpenSSL that
> is included in the Apache HTTP server release?  I've installed
> OpenSSL 1.0.1g on the server, but the older version is still in the
> apache /bin directory.  Do I simply replace the openssl executable or
> is there some kind of change that needs to be made in the httpd.conf
> file to point to the newer installation?

OS?

Since you said "executable" and not "binary", I should assume you are on
Windows. If you are using Windows and downloaded the ASF-provided
binary, it appears (just from the filename, I did nothing other than
look at that) that it ships with OpenSSL 0.9.8y, which is not affected
by Heartbleed.

If you downloaded the "nossl" package, then you are don't have SSL or
you have a separate OpenSSL package that you installed yourself (and
it's up to you to figure out how to fix that).

-chris



signature.asc
Description: OpenPGP digital signature

Re: [users@httpd] Apache and Upgrading OpenSSL

2014-04-18 Thread Christopher Schultz 
JEff,

On 4/18/14, 2:59 PM, Cabell, Jeff wrote:
> So you're saying that 2.2.27 and 2.4.9 are not actually current
> releases for Windows...just for *nix?

The httpd project no longer provides binaries of any kind. Most Linux
distros directly package httpd, and anyone can compile it themselves, too.

Most Windows folks sadly do not have a compiler handy. The ApacheLounge
folks have kindly been building binaries for Windows. It appears their
current version is 2.4.9 with OpenSSL 1.0.1g which sounds like it's
exactly what you want.

-chris



signature.asc
Description: OpenPGP digital signature

Re: [users@httpd] Enabling ECDHE ciphers

2014-04-18 Thread Christopher Schultz 
J.Lance,

On 4/18/14, 2:55 PM, J.Lance Wilkinson wrote:
> Christopher Schultz wrote:
> ...snip...
>>
>> I don't get it. Both setups (2.2.26 and 2.4.9) have 1.0.1.e and have an
>> update available to 1.0.1g (I haven't read the changelogs but I'll bet
>> the difference is mostly the version-bump since everyone is paranoid
>> about 1.0.1e, now). I'll see if that changes anything.
> 
> Chris,
> What OS are you running?  RHEL6?

Something like that. It's "Amazon Linux" which is RHEL-compatible.

> If so, then you actually do have the patched version EQUIVALENT to 1.0.1g,
> so my local Linux guru tells me.
> 
> On RHEL6, I get:
> % openssl version
> OpenSSL 1.0.1e-fips 11 Feb 2013
> 
> BUT, I also get:
> ~% rpm -q openssl
> openssl-1.0.1e-16.el6_5.7.x86_64
> 
> 
> RedHat, he tells me, does not distribute the new version but actually
> weng back and applied the relevant patches TO THEIR DISTRIBUTED
> VERSION.  Note the -16.
> That's the indicator.

Yes, I'm aware. Amazon released another update that brings the version
explicitly up to 1.0.1g. I am aware that I saw safe from Heartbleed even
with the older version.

> It seems that RedHat thinks they know better than we.

The difference is that the patched 1.0.1e had only the security patch
for Heartbleed. I suspect that the difference between 1.0.1e and 1.0.1g
directly from OpenSSL includes more changes than just the Heartbleed
patch. This is how most distros work: they back-port only the patches
that are appropriate instead of always including version.current for
their updates.

Anyhow, it seems you've strayed off-topic because this isn't about which
is more appropriate -- 1.0.1e or 1.0.1g... it's about why I can't seem
to get httpd 2.2.26 to use ECDHE ciphers. I suspect it has something to
do with Amazon's build process even though the libraries are
dynamically-linked. Perhaps httpd was built against 1.0.0 so does not
include certain capabilities even though 1.0.1g is available at run-time.

-chris



signature.asc
Description: OpenPGP digital signature

[users] Building apr on win32

2014-06-12 Thread Christopher Schultz 
All,

I'm hoping this is the right mailing list: the apr project seems to have
a "dev" list but no user one. I'm happy to move if appropriate.

I'm trying to build apr on win32 from the command-line and I'm running
into some resistance. I'm using Visual Studio 12 on Windows 8.1. I have
installed the "Windows SDK" as well to try to help, but it doesn't seem
to have improved things.

I'm following the instructions found here:
http://apr.apache.org/compiling_win32.html

I have downloaded the ZIP files for apr, apr-util, and apr-iconv and put
them into the requisite directories.

I've run VS's VC\bin\vcvars32.bat to get the build tools in the path,
but I don't have a setenv.bat anywhere (suggested in the above
instructions). When I get to the step where I run "msdev" (which
basically /does the build/), I can't find the msdev program:

C:\Users\Me\Desktop\apr-util>msdev aprutil.dsw /MAKE "apriconv - Win32
Release"
'msdev' is not recognized as an internal or external command,
operable program or batch file.

I'm no win32 build expert, but I have quite a bit of experience building
on *NIX systems. Can anyone help me get things going on Windows?

Thanks,
-chris



signature.asc
Description: OpenPGP digital signature

[users@httpd] mod_remoteip not setting client's ip with AWS ELB

2014-10-01 Thread Christopher Schultz 
All,

I'm trying to get httpd working behind an AWS ELB but still using the
remote client's information whenever possible.

ELB provides the X-Forwarded-For, X-Forwarded-Port, and
X-Forwarded-Proto HTTP headers. My configuration looks like this:

RemoteIPHeader X-Forwarded-For
#RemoteIPTrustedProxy 10.0.0.0/8

(I commented-out the RemoteIPTrustedProxy line to see if that was the
problem, and it does not appear to have changed the behavior).

My true client IP address is 71.178.xxx.yyy and I'm making a request
through the load balancer. I'm using PHP's "phpinfo()" to dump
everything about the request. I can see that the X-Forwarded-For header
has been /removed/ from the request (which mod_remoteip says will
happen), but I'm still getting the ELB's IP address in my access logs:

10.32.xxx.yyy - - [01/Oct/2014:17:59:27 +] "GET /info.php HTTP/1.1"
200 72810 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0)
Gecko/20100101 Firefox/32.0"

I have definitely restarted httpd and mod_remoteip is definitely enabled
(no errors on start, X-Forwarded-For header is being removed from the
headers).

Am I missing something in my configuration?

Thanks,
-chris



signature.asc
Description: OpenPGP digital signature

Re: [users@httpd] mod_remoteip not setting client's ip with AWS ELB

2014-10-02 Thread Christopher Schultz 
Mike,

On 10/1/14 5:40 PM, Mike Rumph wrote:
> What version of Apache httpd are you running?

Thanks for the reply. We are running 2.4 and 2.2 on various servers, but
I'm starting with this one:

Server version: Apache/2.4.10 (Amazon)
Server built:   Jul 30 2014 23:57:28

This is the httpd package that Amazon bundles with its Amazon Linux. If
possible, I'd prefer to continue to use their packages.

> There have been some mod_remoteip fixes in recent 2.4.x releases.
> 
> You could also try setting up some LogFormat directives as in bug 55635
> to get more information on this.
> - https://issues.apache.org/bugzilla/show_bug.cgi?id=55635#c1

I'll modify my log format and post what I get under various circumstances.

FWIW, I currently have no "Allow" or "Deny" directives in effect. I was
planing eventually to say "Allow from 10/8" or something equivalent to
only allow connections to this virtual host from the load-balancer. If
that's not going to work, it's easily done at the OS or firewall level.

Thanks,
-chris

> On 10/1/2014 11:00 AM, Christopher Schultz wrote:
>> All,
>>
>> I'm trying to get httpd working behind an AWS ELB but still using the
>> remote client's information whenever possible.
>>
>> ELB provides the X-Forwarded-For, X-Forwarded-Port, and
>> X-Forwarded-Proto HTTP headers. My configuration looks like this:
>>
>>  RemoteIPHeader X-Forwarded-For
>>  #RemoteIPTrustedProxy 10.0.0.0/8
>>
>> (I commented-out the RemoteIPTrustedProxy line to see if that was the
>> problem, and it does not appear to have changed the behavior).
>>
>> My true client IP address is 71.178.xxx.yyy and I'm making a request
>> through the load balancer. I'm using PHP's "phpinfo()" to dump
>> everything about the request. I can see that the X-Forwarded-For header
>> has been /removed/ from the request (which mod_remoteip says will
>> happen), but I'm still getting the ELB's IP address in my access logs:
>>
>> 10.32.xxx.yyy - - [01/Oct/2014:17:59:27 +] "GET /info.php HTTP/1.1"
>> 200 72810 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0)
>> Gecko/20100101 Firefox/32.0"
>>
>> I have definitely restarted httpd and mod_remoteip is definitely enabled
>> (no errors on start, X-Forwarded-For header is being removed from the
>> headers).
>>
>> Am I missing something in my configuration?
>>
>> Thanks,
>> -chris
>>
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 



signature.asc
Description: OpenPGP digital signature

Re: [users@httpd] mod_remoteip not setting client's ip with AWS ELB

2014-10-02 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mike,

On 10/2/14 12:04 PM, Mike Rumph wrote:
> Since you are running 2.4.10, you have the latest mod_remoteip
> fixes. But I think the problem is in the directives that you are
> using:
> 
> RemoteIPHeader X-Forwarded-For #RemoteIPTrustedProxy 10.0.0.0/8
> 
> 
> If you only use the RemoteIPHeader directive, then the default is
> to treat all proxies as external trusted proxies.

Correct. I'm okay with that for the moment. Uncommenting the second
directive didn't change anything.

> Having RemoteIPTrustedProxy set for all your proxies would have the
> same effect.

That's what I'll eventually end up with.

> I assume by your 10.0.0.0/8 mask that this matches your proxy
> addresses. But 10.0.0.0/8 is a mask for internal IP addresses. So
> your proxies will not be accepted as external proxies. And your
> true client ip address will not be used.

Hmm. Maybe I have things mixed up in my head, then.

The AWS ELB will have an address 10.something and so will my actual
server running httpd.

> Try the following directives instead:
> 
> RemoteIPHeader X-Forwarded-For RemoteIPInternalProxy 10.0.0.0/8
> 
> Let us know if this works for you.

I'll try that. With my above configuration, I got a line in my (your)
access log that looks like this:

10.32.219.77 71.178.180.80 10.32.219.77 xf="-" - -
[02/Oct/2014:16:33:39 +] "GET" "GET /tools/info.php HTTP/1.1&" "&"
200 74249 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0)
Gecko/20100101 Firefox/32.0" pid=25180 tid=2846788416 time_ms=10079

The log format for that is:
"%h %a %{c}a xf=\"%{X-Forwarded-For}i\" %l %u %t \"%m\" \"%r&\"
\"%q&\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" pid=%{pid}P
tid=%{tid}P time_ms=%D"

I'll change the RemoteIPTrustedProxy to RemoteIPInternalProxy and
enable it and see what happens.

I think I may have been confused by the fact that the X-Forwarded-For
header was being removed... I assumed that meant that mod_remoteip was
trusting the IP address and actually using it.

Thanks,
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJULX8/AAoJEBzwKT+lPKRYodwQALnN6a4eateTmFMUh5pBFFjy
IcgaNzLEVy8hbXZbitiSq5Hr1B/lQDDf5IYE80smW2njk9Y5nzFfifJ/c3Bv979b
67rkEg5EznreaKLKGQhGuLlY2jBtoNUGiiuPyBnbPF9ML+6C02Md7VKCxEcGcjLm
9l7yCy1e0QPd4g9wdyuFFfaSt7P83VLw8/D/GqJNlt2AbSD2iusTmZ+zGe8GCA8x
q/wFGm+/fGWhrD46oZCYUMUVpcqsSbu/ybaUZqXRmOYWsdH+NT5gK0RxwG+plUuF
Qy2kc6Ld0Pka79+lh4wrUhNYXgadw82tis+Q7A+zm2/wsqjyzb224XSdC1Aubcd8
U+ERcUn7ynI1lflOQyMvmIR0f+492Okgu/Teek4HeUz4pFQE6ftJ4Hiffhkhlv4A
ld/Uq6u9IDpp/BuEs5I73Z5XtY0Dw4kiA41jihKFoo8ap2FHfRJAHVsMobdwpSS5
xwU3Pd4ETCU8dM0tr6QwT0rsi0ugXIEwzB8U4wKszUEv6TDPhnbuudl6OIIFpfi3
2E6dZGXTIDrzbji3bECF/KKu/BgzFRrnkuyOmUAV2j+lMxPPHzRL9kk5QDTrTa/+
NKcPugDB8MG4DM0+boeMZijQ3rLQxYTdA7nmn1cezJ9bOnkKinlfBCiWOZIuXLSq
r64y5KxPAkBGsXXjmOxQ
=eLSS
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] mod_remoteip not setting client's ip with AWS ELB

2014-10-02 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mike,

On 10/2/14 12:37 PM, Christopher Schultz wrote:
> With my above configuration, I got a line in my (your) access log
> that looks like this:
> 
> 10.32.219.77 71.178.180.80 10.32.219.77 xf="-" - - 
> [02/Oct/2014:16:33:39 +] "GET" "GET /tools/info.php HTTP/1.1&"
> "&" 200 74249 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9;
> rv:32.0) Gecko/20100101 Firefox/32.0" pid=25180 tid=2846788416
> time_ms=10079
> 
> The log format for that is: "%h %a %{c}a xf=\"%{X-Forwarded-For}i\"
> %l %u %t \"%m\" \"%r&\" \"%q&\" %>s %b \"%{Referer}i\"
> \"%{User-Agent}i\" pid=%{pid}P tid=%{tid}P time_ms=%D"
> 
> I'll change the RemoteIPTrustedProxy to RemoteIPInternalProxy and 
> enable it and see what happens.

With this configuration:

  RemoteIPHeader X-Forwarded-Form
  RemoteIPInternalProxy 10.0.0.0/8

I get this access log:

10.64.51.235 71.178.180.80 10.64.51.235 xf="-" - -
[02/Oct/2014:16:38:51 +] "GET" "GET /tools/info.php HTTP/1.1&" "&"
200 74692 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0)
Gecko/20100101 Firefox/32.0" pid=25339 tid=3014642496 time_ms=14507

In both cases, logging a standard %h for remote IP gives me the
address of the load-balancer. Is that to be expected?

I'm hooking this up to Apache Tomcat on the back-end, and it seems
that Tomcat thinks the "REMOTE_ADDR" for the client is my actual IP
address and not that of the lb/proxy.

Am I just not using the right access log format when under a proxied
configuration?

For Apache 2.2, it looks like mod_remoteip is not an option. I was
considering using a configuration similar to this to get the same effect:

SetEnvIf X-Forwarded-Proto "https" HTTPS=On
SetEnvIf X-Forwarded-For "(.*)" REMOTE_ADDR=$1
SetEnvIf X-Forwarded-Port "(.*)" SERVER_PORT=$1

Is that an appropriate comparable configuration? I'd probably have to
replace "%h" with "%{X-Forwarded-For}i" in the combined log format.
Should I be doing that even when mod_remoteip is in use as well?

Thanks,
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJULYOXAAoJEBzwKT+lPKRYC2wP/2Jm9mn/jGdxjarEDkp2EU+E
UIGUSLMHA3JDn3wY1DklXSfQMowpLFIwEgaeqiT+pXu+Y/VByBXKRRF9AT6Dps6m
XHIxbS2WU/3q1/DSt+C0JXSIZ7DtRAOm04SMSVscKKdOW44SXQ5U8e2K+ivfEBGy
1xycVLEy8Hb0oAKiOkY+Xe5U6++So5fzshDVo/6x68xaGZQTyy6hiFbPIRGU42nK
xIbEaQJY12Oc09J5JN3y7tetejMVjWrOJ47cnmubBK5EwkwK45ekFKzc1uKHKhzC
ZIq8ebmstTfGwpRQdc1LPDe3dyPElanEJu3VMuxWvEo9iSjBwd0JHmTIb26XNeco
nlo5VasGVlaNZOjgCDb8bVykGtxgw6308zMH+5zsycGLN6H0g50UMUhcqM3RcjYf
IG9PquMEx2uLc068wsj92/K7XSNj5nLLRNdDC+I8i1GTJbuyIBWrXsic9AYGDow6
/8krLuBdkMcSAep6FiQdelcLzjU39Ve0hQDzsa/kbpyGf5YoMG4hzOw/ZXRrmIwF
SHgg2lbhP4cyNg9AOANftCxSZFUsKafLdlOsUHtk0oJOi5AQvUr9CkELiyU/lksv
nb9gs/uwXrUvv6+b/uJ023W1WOz87p5r6u7Woy0EjdqtiVPCI5ZYODl9OUgvdADa
epLeLUo2wujvmwHKi+Db
=mysF
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] mod_remoteip not setting client's ip with AWS ELB

2014-10-02 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mike,

On 10/2/14 1:18 PM, Mike Rumph wrote:
> It just occurred to me that you might be referring to the first
> field (%h) in your log records.

Precisely.

> This is going to be the remote hostname. So this is showing the IP
> address of your immediate proxy.

That's what I'm observing.

> If you want to see the true original client IP address (as
> calculated by mod_remoteip), you should add the %a field to your
> LogFormat directive. -
> http://httpd.apache.org/docs/2.4/mod/mod_log_config.html#formats

Okay, it looked like that's what I should add. I just wanted some
confirmation that %a was correct even with mod_remoteip. For httpd
2.2, would I just use "%{X-Forwarded-For}i" since mod_remoteip is not
available?

Lol, just found this write-up. I'll be reading the whole thing about
now:
http://knowledgevoid.com/blog/2012/01/13/logging-the-correct-ip-address-using-apache-2-2-x-and-amazons-elastic-load-balancer/

Thanks,
- -chris

> On 10/2/2014 9:04 AM, Mike Rumph wrote:
>> Hello Christopher,
>> 
>> Since you are running 2.4.10, you have the latest mod_remoteip
>> fixes. But I think the problem is in the directives that you are
>> using:
>> 
>> RemoteIPHeader X-Forwarded-For #RemoteIPTrustedProxy 10.0.0.0/8
>> 
>> 
>> If you only use the RemoteIPHeader directive, then the default is
>> to treat all proxies as external trusted proxies. Having
>> RemoteIPTrustedProxy set for all your proxies would have the same
>> effect.
>> 
>> I assume by your 10.0.0.0/8 mask that this matches your proxy
>> addresses. But 10.0.0.0/8 is a mask for internal IP addresses. So
>> your proxies will not be accepted as external proxies. And your
>> true client ip address will not be used.
>> 
>> Try the following directives instead:
>> 
>> RemoteIPHeader X-Forwarded-For RemoteIPInternalProxy 10.0.0.0/8
>> 
>> Let us know if this works for you.
>> 
>> Thanks,
>> 
>> Mike Rumph
>> 
>> On 10/2/2014 6:46 AM, Christopher Schultz wrote:
>>> Mike,
>>> 
>>> On 10/1/14 5:40 PM, Mike Rumph wrote:
>>>> What version of Apache httpd are you running?
>>> Thanks for the reply. We are running 2.4 and 2.2 on various
>>> servers, but I'm starting with this one:
>>> 
>>> Server version: Apache/2.4.10 (Amazon) Server built:   Jul 30
>>> 2014 23:57:28
>>> 
>>> This is the httpd package that Amazon bundles with its Amazon
>>> Linux. If possible, I'd prefer to continue to use their
>>> packages.
>>> 
>>>> There have been some mod_remoteip fixes in recent 2.4.x
>>>> releases.
>>>> 
>>>> You could also try setting up some LogFormat directives as in
>>>> bug 55635 to get more information on this. -
>>>> https://issues.apache.org/bugzilla/show_bug.cgi?id=55635#c1
>>> I'll modify my log format and post what I get under various 
>>> circumstances.
>>> 
>>> FWIW, I currently have no "Allow" or "Deny" directives in
>>> effect. I was planing eventually to say "Allow from 10/8" or
>>> something equivalent to only allow connections to this virtual
>>> host from the load-balancer. If that's not going to work, it's
>>> easily done at the OS or firewall level.
>>> 
>>> Thanks, -chris
>>> 
>>>> On 10/1/2014 11:00 AM, Christopher Schultz wrote:
>>>>> All,
>>>>> 
>>>>> I'm trying to get httpd working behind an AWS ELB but still
>>>>> using the remote client's information whenever possible.
>>>>> 
>>>>> ELB provides the X-Forwarded-For, X-Forwarded-Port, and 
>>>>> X-Forwarded-Proto HTTP headers. My configuration looks like
>>>>> this:
>>>>> 
>>>>> RemoteIPHeader X-Forwarded-For #RemoteIPTrustedProxy
>>>>> 10.0.0.0/8
>>>>> 
>>>>> (I commented-out the RemoteIPTrustedProxy line to see if
>>>>> that was the problem, and it does not appear to have
>>>>> changed the behavior).
>>>>> 
>>>>> My true client IP address is 71.178.xxx.yyy and I'm making
>>>>> a request through the load balancer. I'm using PHP's
>>>>> "phpinfo()" to dump everything about the request. I can see
>>>>> that the X-Forwarded-For header has been /removed/ from the
>>>>> request (which mod_remoteip says will

  1   2   >